Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PROOF OF PAYMENT.scr.exe

Overview

General Information

Sample name:PROOF OF PAYMENT.scr.exe
Analysis ID:1431488
MD5:11b19b59f657910f0af49721a77bc2dd
SHA1:3078779d892bd96e5dfddb76d491f52eefd39a2d
SHA256:c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Nanocore RAT
Yara detected PureLog Stealer
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PROOF OF PAYMENT.scr.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • powershell.exe (PID: 7272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7720 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7404 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PROOF OF PAYMENT.scr.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • PROOF OF PAYMENT.scr.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • PROOF OF PAYMENT.scr.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
      • WerFault.exe (PID: 7992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • hXGmUcb.exe (PID: 7672 cmdline: C:\Users\user\AppData\Roaming\hXGmUcb.exe MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • schtasks.exe (PID: 7884 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hXGmUcb.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Roaming\hXGmUcb.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
  • dnshost.exe (PID: 8088 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • schtasks.exe (PID: 7192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dnshost.exe (PID: 7532 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
    • dnshost.exe (PID: 7536 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 11B19B59F657910F0AF49721A77BC2DD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "3ccbc5bb-95bf-4854-a1cd-6f73b82a", "Group": "GLORY", "Domain1": "amechi.duckdns.org", "Domain2": "amechi.duckdns.org", "Port": 3190, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xfbb:$a1: NanoCore.ClientPluginHost
  • 0xf7e:$a2: NanoCore.ClientPlugin
0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x42fbb:$a1: NanoCore.ClientPluginHost
    • 0x56729:$a1: NanoCore.ClientPluginHost
    • 0x6f1f5:$a1: NanoCore.ClientPluginHost
    • 0x42f7e:$a2: NanoCore.ClientPlugin
    • 0x566f4:$a2: NanoCore.ClientPlugin
    • 0x6f1c0:$a2: NanoCore.ClientPlugin
    • 0x43352:$b1: get_BuilderSettings
    • 0x5b66f:$b1: get_BuilderSettings
    • 0x7413b:$b1: get_BuilderSettings
    • 0x43009:$b4: IClientAppHost
    • 0x433c3:$b6: AddHostEntry
    • 0x43432:$b7: LogClientException
    • 0x5b5de:$b7: LogClientException
    • 0x740aa:$b7: LogClientException
    • 0x433a7:$b8: PipeExists
    • 0x42ff6:$b9: IClientLoggingHost
    • 0x56743:$b9: IClientLoggingHost
    • 0x6f20f:$b9: IClientLoggingHost
    0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x42f25:$a: NanoCore
    • 0x42f7e:$a: NanoCore
    • 0x42fbb:$a: NanoCore
    • 0x43034:$a: NanoCore
    • 0x566df:$a: NanoCore
    • 0x566f4:$a: NanoCore
    • 0x56729:$a: NanoCore
    • 0x6f1ab:$a: NanoCore
    • 0x6f1c0:$a: NanoCore
    • 0x6f1f5:$a: NanoCore
    • 0x42f87:$b: ClientPlugin
    • 0x42fc4:$b: ClientPlugin
    • 0x438c2:$b: ClientPlugin
    • 0x438cf:$b: ClientPlugin
    • 0x5649b:$b: ClientPlugin
    • 0x564b6:$b: ClientPlugin
    • 0x564e6:$b: ClientPlugin
    • 0x566fd:$b: ClientPlugin
    • 0x56732:$b: ClientPlugin
    • 0x6ef67:$b: ClientPlugin
    • 0x6ef82:$b: ClientPlugin
    00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xfbb:$a1: NanoCore.ClientPluginHost
    • 0xf7e:$a2: NanoCore.ClientPlugin
    Click to see the 66 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xe65:$i5: IClientDataHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xe41:$s1: ClientPlugin
    10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0xb184:$a1: NanoCore.ClientPluginHost
      • 0xb14f:$a2: NanoCore.ClientPlugin
      • 0x100ca:$b1: get_BuilderSettings
      • 0x10039:$b7: LogClientException
      • 0xb19e:$b9: IClientLoggingHost
      Click to see the 124 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ParentProcessId: 6852, ParentProcessName: PROOF OF PAYMENT.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ProcessId: 7272, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ParentProcessId: 6852, ParentProcessName: PROOF OF PAYMENT.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ProcessId: 7272, ProcessName: powershell.exe
      Sigma detected: Suspicious Add Scheduled Task Parent
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\hXGmUcb.exe, ParentImage: C:\Users\user\AppData\Roaming\hXGmUcb.exe, ParentProcessId: 7672, ParentProcessName: hXGmUcb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp", ProcessId: 7884, ProcessName: schtasks.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ParentProcessId: 6852, ParentProcessName: PROOF OF PAYMENT.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", ProcessId: 7404, ProcessName: schtasks.exe
      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ProcessId: 7580, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ParentProcessId: 6852, ParentProcessName: PROOF OF PAYMENT.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ProcessId: 7272, ProcessName: powershell.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe", ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ParentProcessId: 6852, ParentProcessName: PROOF OF PAYMENT.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp", ProcessId: 7404, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      Snort Signatures

      Timestamp:04/25/24-10:07:12.230926
      SID:2046914
      Source Port:49736
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:44.071335
      SID:2046914
      Source Port:49746
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:08:04.153977
      SID:2046917
      Source Port:3190
      Destination Port:49750
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:19.102498
      SID:2046914
      Source Port:49743
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:52.316693
      SID:2046914
      Source Port:49747
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:43.166059
      SID:2816718
      Source Port:49746
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:58.181438
      SID:2046914
      Source Port:49749
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:37.344999
      SID:2046914
      Source Port:49745
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:04.775638
      SID:2046914
      Source Port:49735
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:08:32.065581
      SID:2046917
      Source Port:3190
      Destination Port:49755
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:08:15.746456
      SID:2046914
      Source Port:49752
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:07:26.388769
      SID:2046914
      Source Port:49744
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:04/25/24-10:08:04.154158
      SID:2046914
      Source Port:49750
      Destination Port:3190
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: amechi.duckdns.orgAvira URL Cloud: Label: malware
      Found malware configuration
      Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "3ccbc5bb-95bf-4854-a1cd-6f73b82a", "Group": "GLORY", "Domain1": "amechi.duckdns.org", "Domain2": "amechi.duckdns.org", "Port": 3190, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URL
      Source: amechi.duckdns.orgVirustotal: Detection: 12%Perma Link
      Source: amechi.duckdns.orgVirustotal: Detection: 12%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeReversingLabs: Detection: 13%
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeReversingLabs: Detection: 13%
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeVirustotal: Detection: 27%Perma Link
      Multi AV Scanner detection for submitted file
      Source: PROOF OF PAYMENT.scr.exeVirustotal: Detection: 27%Perma Link
      Source: PROOF OF PAYMENT.scr.exeReversingLabs: Detection: 13%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: PROOF OF PAYMENT.scr.exeJoe Sandbox ML: detected
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: System.Xml.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Accessibility.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Configuration.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: \mscorlib.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp, WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: Microsoft.VisualBasic.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Windows.Forms.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Drawing.pdb`~ source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Drawing.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdbH source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.pdbPK6 source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 4x nop then jmp 02470499h0_2_02470586
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 4x nop then jmp 0D0201D1h11_2_0D0202BE
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 4x nop then jmp 08A201D1h17_2_08A202BC

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49735 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49736 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49743 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49744 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49745 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49746 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49746 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49747 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49749 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.95.169.113:3190 -> 192.168.2.4:49750
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49750 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49752 -> 45.95.169.113:3190
      Source: TrafficSnort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.95.169.113:3190 -> 192.168.2.4:49755
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: amechi.duckdns.org
      Uses dynamic DNS services
      Source: unknownDNS query: name: amechi.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49735 -> 45.95.169.113:3190
      Source: Joe Sandbox ViewIP Address: 45.95.169.113 45.95.169.113
      Source: Joe Sandbox ViewASN Name: GIGANET-HUGigaNetInternetServiceProviderCoHU GIGANET-HUGigaNetInternetServiceProviderCoHU
      Source: global trafficDNS traffic detected: DNS query: amechi.duckdns.org
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1715877322.00000000025DD000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, hXGmUcb.exe, 0000000B.00000002.1808923412.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000011.00000002.1898089086.0000000002791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Amcache.hve.27.drString found in binary or memory: http://upx.sf.net
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_7f75a987-7

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: PROOF OF PAYMENT.scr.exe
      Source: C:\Windows\SysWOW64\WerFault.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_02471E600_2_02471E60
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_024703080_2_02470308
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_024702F80_2_024702F8
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_0251E3B40_2_0251E3B4
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E275680_2_06E27568
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E208B00_2_06E208B0
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E275580_2_06E27558
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2A5280_2_06E2A528
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2A0F00_2_06E2A0F0
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2C1600_2_06E2C160
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E221410_2_06E22141
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E221500_2_06E22150
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2C1510_2_06E2C151
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E221170_2_06E22117
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2CB600_2_06E2CB60
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2089F0_2_06E2089F
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E238000_2_06E23800
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E238100_2_06E23810
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E2A9600_2_06E2A960
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 10_2_0130D34410_2_0130D344
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 10_2_0676181810_2_06761818
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 10_2_067601E010_2_067601E0
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0261E3B411_2_0261E3B4
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C80FD411_2_04C80FD4
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C824D611_2_04C824D6
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C8050811_2_04C80508
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C8051811_2_04C80518
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_090408B011_2_090408B0
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904756811_2_09047568
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904A96011_2_0904A960
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904380011_2_09043800
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904381011_2_09043810
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904089F11_2_0904089F
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904CB6011_2_0904CB60
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904211711_2_09042117
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904214111_2_09042141
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904215011_2_09042150
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904C15111_2_0904C151
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904C16011_2_0904C160
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904A0F011_2_0904A0F0
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904A52811_2_0904A528
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0904755811_2_09047558
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0D02004011_2_0D020040
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0D021AC811_2_0D021AC8
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0D02000611_2_0D020006
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 15_2_0111D34415_2_0111D344
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_009DE3B417_2_009DE3B4
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6756817_2_06C67568
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C608B017_2_06C608B0
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6756517_2_06C67565
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6A52817_2_06C6A528
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6A0F017_2_06C6A0F0
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6214D17_2_06C6214D
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6215017_2_06C62150
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6C15D17_2_06C6C15D
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6C16017_2_06C6C160
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6CB6017_2_06C6CB60
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6089F17_2_06C6089F
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6380017_2_06C63800
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6381017_2_06C63810
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C6A96017_2_06C6A960
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_08A2004017_2_08A20040
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_08A219B917_2_08A219B9
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_08A2001117_2_08A20011
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 21_2_0137D34421_2_0137D344
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
      Source: hXGmUcb.exe.0.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1715122507.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1720840961.0000000009680000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000000.1613081722.0000000000208000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLaZ.exe" vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1716851418.0000000003F67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.0000000004138000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257666948.0000000006770000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.0000000004151000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exeBinary or memory string: OriginalFilenameLaZ.exe" vs PROOF OF PAYMENT.scr.exe
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTRMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTRMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTRMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTRMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: hXGmUcb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rh0ThCo3wv2MPxBtFh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rh0ThCo3wv2MPxBtFh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.PROOF OF PAYMENT.scr.exe.25dd5c8.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
      Source: 0.2.PROOF OF PAYMENT.scr.exe.27c5b7c.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4f50000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
      Source: 0.2.PROOF OF PAYMENT.scr.exe.25cd174.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
      Source: classification engineClassification label: mal100.troj.evad.winEXE@32/26@14/1
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile created: C:\Program Files (x86)\DNS HostJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile created: C:\Users\user\AppData\Roaming\hXGmUcb.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMutant created: NULL
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMutant created: \Sessions\1\BaseNamedObjects\IwPiDPKLEAdVwxqu
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3ccbc5bb-95bf-4854-a1cd-6f73b82adcba}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile created: C:\Users\user\AppData\Local\Temp\tmp314F.tmpJump to behavior
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: PROOF OF PAYMENT.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: PROOF OF PAYMENT.scr.exeVirustotal: Detection: 27%
      Source: PROOF OF PAYMENT.scr.exeReversingLabs: Detection: 13%
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile read: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\hXGmUcb.exe C:\Users\user\AppData\Roaming\hXGmUcb.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Users\user\AppData\Roaming\hXGmUcb.exe "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
      Source: unknownProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Users\user\AppData\Roaming\hXGmUcb.exe "C:\Users\user\AppData\Roaming\hXGmUcb.exe"Jump to behavior
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: mscoree.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: version.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: windows.storage.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: wldp.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: profapi.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeSection loaded: cryptbase.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: mscoree.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: apphelp.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: version.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: uxtheme.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: windows.storage.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: wldp.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: profapi.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: cryptsp.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: rsaenh.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: cryptbase.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: dwrite.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: amsi.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: userenv.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: msasn1.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: gpapi.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: windowscodecs.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: propsys.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: edputil.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: urlmon.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: iertutil.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: srvcli.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: netutils.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: sspicli.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: wintypes.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: appresolver.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: bcp47langs.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: slc.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: sppc.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: mscoree.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: version.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: uxtheme.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: windows.storage.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: wldp.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: profapi.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: cryptsp.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: rsaenh.dll
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: System.Xml.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Accessibility.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Configuration.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Configuration.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: \mscorlib.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Xml.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp, WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: Microsoft.VisualBasic.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Windows.Forms.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Drawing.pdb`~ source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Drawing.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.pdbH source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: mscorlib.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.pdbPK6 source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.ni.pdb source: WER7F8A.tmp.dmp.27.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: PROOF OF PAYMENT.scr.exe, SpreadsheetName.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
      Source: hXGmUcb.exe.0.dr, SpreadsheetName.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs.Net Code: IaGtmtH0V1 System.Reflection.Assembly.Load(byte[])
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs.Net Code: IaGtmtH0V1 System.Reflection.Assembly.Load(byte[])
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
      Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeCode function: 0_2_06E27F4B push es; retf 0_2_06E27F50
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0261AFC8 push eax; retn 0004h11_2_0261AFD2
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0261AFD8 push eax; retn 0004h11_2_0261AFE2
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_0261B00A push eax; retn 0004h11_2_0261AFD2
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C830B0 push es; mov dword ptr [esp], 5504BCABh11_2_04C830BA
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeCode function: 11_2_04C8EAB8 pushfd ; iretd 11_2_04C8EB31
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeCode function: 17_2_06C67F4B push es; retf 17_2_06C67F50
      Source: PROOF OF PAYMENT.scr.exeStatic PE information: section name: .text entropy: 7.966591288732788
      Source: hXGmUcb.exe.0.drStatic PE information: section name: .text entropy: 7.966591288732788
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, a7WH18Hcc20wPeWQJl.csHigh entropy of concatenated method names: 'vMdhK16Qy4', 'AfehrDnT0s', 'd7XYDO1hi3', 'y3ZY6kY8ZF', 'erVY5Ubmoc', 'FMkYiHgHZj', 'QG8YbqU8ov', 'GsfY4IN3tB', 'IwSYRQ1iAp', 'wqrYLbLDVy'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, Rey2rtdvRpTeCLFBeL.csHigh entropy of concatenated method names: 'Dispose', 'q2PQ7WshZd', 'VuMEArlkQY', 'S4IooGTDB7', 'GWlQMpmyVP', 'JKdQzahP8E', 'ProcessDialogKey', 'NOMEVEiiWw', 'l7TEQ59o19', 'jqFEEuyUBV'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, RmVeZLtcaKrdC0Uaus.csHigh entropy of concatenated method names: 'ToString', 'nInePXmGxq', 'RhqeAiyn6r', 'VwdeDRiX08', 'nhPe6pCl8W', 'hVpe5viEja', 'iGyeigMoaI', 's8debL81ZH', 'p2Ie4nZ4wi', 'XA7eRY79mp'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, YYWK0OzQ8GnTyh7euo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BXoFskcPry', 'r2vF1Etb6I', 'gj7FesUY1g', 'JZeFOtlUMR', 'XcVFxhsIw2', 'AciFF49OQJ', 'RjgF94bdvr'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, WwSNyg0DDuwGTvKVKj.csHigh entropy of concatenated method names: 'Eay2pw1UVa', 'X3E2N6C52J', 'xnb2mQfn69', 'MmX2aquZts', 'sBw2lQBKVy', 'mHW2rGY8xd', 'kNv2UQpHOw', 'HwI2BOZgyH', 'LnWsxPJ4juD65rP2hjM', 'AbcHifJUBIjBTUFiHR5'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, C3fSWt9lq6cmKjZivw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EfQE7yjXWR', 'p8pEM7BtuY', 'bcpEzSesNq', 'IggcVKs8NZ', 'REocQe98h2', 'X3LcEHmv4m', 'wOTccurcWT', 'TwmC983JutLaM3C3XhY'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, bXnp9f6gTwWnsZSwLY.csHigh entropy of concatenated method names: 'ediMMSJLjUbjgM2Bps9', 'C6aX53JxUK7cbY4NDIq', 'rju2xStvfi', 'Lee2FTakHU', 'MHL29wdmHP', 'Feo82IJHToxJrhOcgWA', 'glCVRsJwJMfBTIdKjgf', 'nGKAxXJeCZgFNRkPwdP'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, AHbEk21axUEqm7fT56.csHigh entropy of concatenated method names: 'XkYdNJyc1F', 'WvHdSBQunH', 'Pd7dmAmHQG', 'fZpdafLxBr', 'Y9odKidkSY', 'ihpdl3RwNf', 'j42drRMGsn', 'dr0d8sN54i', 'H1cdUkra7D', 'abldBwODOR'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, EUEE8DvIqtuPeTiAGn.csHigh entropy of concatenated method names: 'aHyOwAisgh', 'I4dOMX4yYi', 'wivxVxvdm0', 'xwsxQ6RUe8', 'RRuOPnYcbw', 'mvVOfLSB78', 'yG2OJFHgQy', 'VnGOkMKBG2', 'bj5OXZ1JCr', 'm9COITF3JE'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, q0rM6Liejcmga7tNtno.csHigh entropy of concatenated method names: 'R4ZFN0nqB5', 'a4JFS1mZEj', 'jIAFmfI8rt', 'bxdFavRElW', 'gIBFKEQs57', 'uf4FlZGQ5R', 'SBJFr29lUi', 'IgfF8jR7Un', 'olWFUGuhdR', 'SR4FBw2256'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, O2HMwp5KwMD4Y1kAup.csHigh entropy of concatenated method names: 'gLPFQ8WRia', 'Ay6FcxCWmF', 'Y4rFto6Ta2', 'yUpFZYxAId', 'COiFWYFcVJ', 'm75FhsNat0', 'NZmF236lSO', 'TkCxuKYQse', 'rq7xwdEaWu', 'dN2x7SgvV5'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, GrtMols1V6lhk2hI0e.csHigh entropy of concatenated method names: 'LfOmNlmch', 'iHOaSaKfB', 'IOXljXW2Y', 'No3rfXCjV', 'oE5UhKHyc', 'GxZBNfhwk', 'hsHWbnBbkCLlpxpkYY', 'uo4XTDptJRSHPLOED5', 'rjNxdtopn', 'O8091ORpQ'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rh0ThCo3wv2MPxBtFh.csHigh entropy of concatenated method names: 'bvCWktd9Un', 'CXoWXsSeLD', 'UimWICFGc7', 'wRVWjFOmOw', 't35WvTPpnY', 'cbuWHyNYlv', 'AopWuHkapR', 'QWiWwNACnt', 'BY2W725YeL', 'TBUWMMVLlA'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, BnI13jwnKRvNGvGP2F.csHigh entropy of concatenated method names: 'XiPxZZTTZo', 'dqVxWFf3AG', 'nOIxYJl1n1', 'EWYxh672ZR', 'w03x2uP2bI', 'Qkyxdfyf1i', 'Ax2xT3HDRa', 'UrQxGNdgN9', 'gwox0w8D3Q', 'hc3xgdHuRu'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, DCnUwxkrso4naVYmQk.csHigh entropy of concatenated method names: 'pGs2ydnUoS', 'fda2WdKc3N', 'fSS2heoCTv', 'fc42dM5wQ0', 'NyS2TFFYVD', 'IkPhvmvH43', 'FWjhHSjLDu', 'OuPhuc6Jfa', 'hu4hwy6Yk5', 'F6Xh7KppkR'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, WWBcScFrnYSGoAdw3C.csHigh entropy of concatenated method names: 'X9xs8HMKZe', 'PDJsU15Pkk', 'ld1sCvPaMy', 'a0jsA4auOZ', 'p19s6stuAr', 'jZHs5C6S9B', 'Nc7sbGR7AL', 'bqYs49YAkE', 'sRTsL1qtjp', 'xirsP9HP8j'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.csHigh entropy of concatenated method names: 'Uu8cyPWXYh', 'gEicZKBvbn', 'a2kcWAnssT', 'ktIcYXQiBs', 'FCQch0Vdcw', 'AfNc25cReP', 'wbtcdDfC6G', 'lQrcT1IyVq', 'VRAcGfENOM', 'kvLc04e9fL'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, DuoeAeiZfYcQfs4fvYT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QiO9kj98xK', 'YVl9XWBtjT', 'yF09IpiRII', 'lG19jlAvA7', 'gVd9vMeyU1', 'Dh79HvQwYC', 'Jvu9uApxUD'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, jp5tqDr4CYlZBQwy1A.csHigh entropy of concatenated method names: 'NruQd0LmkF', 'zxhQTicd5E', 'VYqQ0Zalrk', 'qlJQgshZ01', 'HvWQ1FXJyw', 'EFCQeSi0VT', 'qrO0tfP2qTVx0lXmvM', 'gIeXPesq9Wbn0mKoPC', 'DT7QQgT3Zi', 'OdIQcvgl1G'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rpsPfDxQy929cynlVU.csHigh entropy of concatenated method names: 'KP8YarIFlX', 'HPYYlM5e3e', 't8xY8jAGvr', 'MLbYUMO6F6', 'fyHY1Qyoug', 'JjvYeH29v8', 'eZiYOvemZg', 's7BYxOsOSU', 'I62YFsMrZj', 'zqAY9m9S4u'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, a7WH18Hcc20wPeWQJl.csHigh entropy of concatenated method names: 'vMdhK16Qy4', 'AfehrDnT0s', 'd7XYDO1hi3', 'y3ZY6kY8ZF', 'erVY5Ubmoc', 'FMkYiHgHZj', 'QG8YbqU8ov', 'GsfY4IN3tB', 'IwSYRQ1iAp', 'wqrYLbLDVy'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, Rey2rtdvRpTeCLFBeL.csHigh entropy of concatenated method names: 'Dispose', 'q2PQ7WshZd', 'VuMEArlkQY', 'S4IooGTDB7', 'GWlQMpmyVP', 'JKdQzahP8E', 'ProcessDialogKey', 'NOMEVEiiWw', 'l7TEQ59o19', 'jqFEEuyUBV'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, RmVeZLtcaKrdC0Uaus.csHigh entropy of concatenated method names: 'ToString', 'nInePXmGxq', 'RhqeAiyn6r', 'VwdeDRiX08', 'nhPe6pCl8W', 'hVpe5viEja', 'iGyeigMoaI', 's8debL81ZH', 'p2Ie4nZ4wi', 'XA7eRY79mp'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, YYWK0OzQ8GnTyh7euo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BXoFskcPry', 'r2vF1Etb6I', 'gj7FesUY1g', 'JZeFOtlUMR', 'XcVFxhsIw2', 'AciFF49OQJ', 'RjgF94bdvr'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, WwSNyg0DDuwGTvKVKj.csHigh entropy of concatenated method names: 'Eay2pw1UVa', 'X3E2N6C52J', 'xnb2mQfn69', 'MmX2aquZts', 'sBw2lQBKVy', 'mHW2rGY8xd', 'kNv2UQpHOw', 'HwI2BOZgyH', 'LnWsxPJ4juD65rP2hjM', 'AbcHifJUBIjBTUFiHR5'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, C3fSWt9lq6cmKjZivw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EfQE7yjXWR', 'p8pEM7BtuY', 'bcpEzSesNq', 'IggcVKs8NZ', 'REocQe98h2', 'X3LcEHmv4m', 'wOTccurcWT', 'TwmC983JutLaM3C3XhY'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, bXnp9f6gTwWnsZSwLY.csHigh entropy of concatenated method names: 'ediMMSJLjUbjgM2Bps9', 'C6aX53JxUK7cbY4NDIq', 'rju2xStvfi', 'Lee2FTakHU', 'MHL29wdmHP', 'Feo82IJHToxJrhOcgWA', 'glCVRsJwJMfBTIdKjgf', 'nGKAxXJeCZgFNRkPwdP'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, AHbEk21axUEqm7fT56.csHigh entropy of concatenated method names: 'XkYdNJyc1F', 'WvHdSBQunH', 'Pd7dmAmHQG', 'fZpdafLxBr', 'Y9odKidkSY', 'ihpdl3RwNf', 'j42drRMGsn', 'dr0d8sN54i', 'H1cdUkra7D', 'abldBwODOR'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, EUEE8DvIqtuPeTiAGn.csHigh entropy of concatenated method names: 'aHyOwAisgh', 'I4dOMX4yYi', 'wivxVxvdm0', 'xwsxQ6RUe8', 'RRuOPnYcbw', 'mvVOfLSB78', 'yG2OJFHgQy', 'VnGOkMKBG2', 'bj5OXZ1JCr', 'm9COITF3JE'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, q0rM6Liejcmga7tNtno.csHigh entropy of concatenated method names: 'R4ZFN0nqB5', 'a4JFS1mZEj', 'jIAFmfI8rt', 'bxdFavRElW', 'gIBFKEQs57', 'uf4FlZGQ5R', 'SBJFr29lUi', 'IgfF8jR7Un', 'olWFUGuhdR', 'SR4FBw2256'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, O2HMwp5KwMD4Y1kAup.csHigh entropy of concatenated method names: 'gLPFQ8WRia', 'Ay6FcxCWmF', 'Y4rFto6Ta2', 'yUpFZYxAId', 'COiFWYFcVJ', 'm75FhsNat0', 'NZmF236lSO', 'TkCxuKYQse', 'rq7xwdEaWu', 'dN2x7SgvV5'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, GrtMols1V6lhk2hI0e.csHigh entropy of concatenated method names: 'LfOmNlmch', 'iHOaSaKfB', 'IOXljXW2Y', 'No3rfXCjV', 'oE5UhKHyc', 'GxZBNfhwk', 'hsHWbnBbkCLlpxpkYY', 'uo4XTDptJRSHPLOED5', 'rjNxdtopn', 'O8091ORpQ'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rh0ThCo3wv2MPxBtFh.csHigh entropy of concatenated method names: 'bvCWktd9Un', 'CXoWXsSeLD', 'UimWICFGc7', 'wRVWjFOmOw', 't35WvTPpnY', 'cbuWHyNYlv', 'AopWuHkapR', 'QWiWwNACnt', 'BY2W725YeL', 'TBUWMMVLlA'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, BnI13jwnKRvNGvGP2F.csHigh entropy of concatenated method names: 'XiPxZZTTZo', 'dqVxWFf3AG', 'nOIxYJl1n1', 'EWYxh672ZR', 'w03x2uP2bI', 'Qkyxdfyf1i', 'Ax2xT3HDRa', 'UrQxGNdgN9', 'gwox0w8D3Q', 'hc3xgdHuRu'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, DCnUwxkrso4naVYmQk.csHigh entropy of concatenated method names: 'pGs2ydnUoS', 'fda2WdKc3N', 'fSS2heoCTv', 'fc42dM5wQ0', 'NyS2TFFYVD', 'IkPhvmvH43', 'FWjhHSjLDu', 'OuPhuc6Jfa', 'hu4hwy6Yk5', 'F6Xh7KppkR'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, WWBcScFrnYSGoAdw3C.csHigh entropy of concatenated method names: 'X9xs8HMKZe', 'PDJsU15Pkk', 'ld1sCvPaMy', 'a0jsA4auOZ', 'p19s6stuAr', 'jZHs5C6S9B', 'Nc7sbGR7AL', 'bqYs49YAkE', 'sRTsL1qtjp', 'xirsP9HP8j'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.csHigh entropy of concatenated method names: 'Uu8cyPWXYh', 'gEicZKBvbn', 'a2kcWAnssT', 'ktIcYXQiBs', 'FCQch0Vdcw', 'AfNc25cReP', 'wbtcdDfC6G', 'lQrcT1IyVq', 'VRAcGfENOM', 'kvLc04e9fL'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, DuoeAeiZfYcQfs4fvYT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QiO9kj98xK', 'YVl9XWBtjT', 'yF09IpiRII', 'lG19jlAvA7', 'gVd9vMeyU1', 'Dh79HvQwYC', 'Jvu9uApxUD'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, jp5tqDr4CYlZBQwy1A.csHigh entropy of concatenated method names: 'NruQd0LmkF', 'zxhQTicd5E', 'VYqQ0Zalrk', 'qlJQgshZ01', 'HvWQ1FXJyw', 'EFCQeSi0VT', 'qrO0tfP2qTVx0lXmvM', 'gIeXPesq9Wbn0mKoPC', 'DT7QQgT3Zi', 'OdIQcvgl1G'
      Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rpsPfDxQy929cynlVU.csHigh entropy of concatenated method names: 'KP8YarIFlX', 'HPYYlM5e3e', 't8xY8jAGvr', 'MLbYUMO6F6', 'fyHY1Qyoug', 'JjvYeH29v8', 'eZiYOvemZg', 's7BYxOsOSU', 'I62YFsMrZj', 'zqAY9m9S4u'
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile created: C:\Users\user\AppData\Roaming\hXGmUcb.exeJump to dropped file
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile created: C:\Program Files (x86)\DNS Host\dnshost.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS HostJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS HostJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeFile opened: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe:Zone.Identifier read attributes | deleteJump to behavior
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 2310000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 7330000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 6C60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 8330000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 9330000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 9700000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: A700000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: B700000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 6BB0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 7BB0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 7D30000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 8D30000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: A3A0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: B3B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 1110000 memory reserve | memory write watch
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 2AB0000 memory reserve | memory write watch
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory allocated: 4AB0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 9D0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 2720000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 2560000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 6DA0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 6AC0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 7DA0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 8DA0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 9340000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 6DA0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 1330000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 2D50000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory allocated: 2C70000 memory reserve | memory write watch
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7836Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 782Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8347Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1113Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeWindow / User API: threadDelayed 4342Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeWindow / User API: threadDelayed 5450Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeWindow / User API: foregroundWindowGot 1215Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe TID: 2696Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe TID: 7660Thread sleep time: -27670116110564310s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe TID: 7708Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe TID: 7984Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7404Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeThread delayed: delay time: 922337203685477
      Source: Amcache.hve.27.drBinary or memory string: VMware
      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.27.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.27.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.27.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.27.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.27.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.27.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.27.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.27.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.27.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.27.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Amcache.hve.27.drBinary or memory string: vmci.sys
      Source: Amcache.hve.27.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.27.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.27.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.27.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.27.drBinary or memory string: VMware20,1
      Source: Amcache.hve.27.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.27.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.27.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.27.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.27.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.27.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.27.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.27.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.27.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"Jump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeMemory written: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeMemory written: C:\Users\user\AppData\Roaming\hXGmUcb.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeMemory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeProcess created: C:\Users\user\AppData\Roaming\hXGmUcb.exe "C:\Users\user\AppData\Roaming\hXGmUcb.exe"Jump to behavior
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeProcess created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$g[
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000324B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\#'
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt3
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|'M
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003306000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLm0
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx+@
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003240000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q84@
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258273905.0000000006E5D000.00000004.00000010.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258155369.0000000006B5D000.00000004.00000010.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258747252.00000000075AE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program ManagerR
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000327C000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000327C000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\rK
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT_C
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0m1
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT&
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLuT
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000339E000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerlB^q
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHec
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$"d
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$FH
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtIC
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4RC
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8bO
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003240000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,#
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$}[
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxWU
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Users\user\AppData\Roaming\hXGmUcb.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Users\user\AppData\Roaming\hXGmUcb.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\hXGmUcb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.27.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.27.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.27.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.27.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.3579970.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.3579970.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4f20000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4f20000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.1719041466.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLog
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: hXGmUcb.exe, 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: hXGmUcb.exe, 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: hXGmUcb.exe, 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: hXGmUcb.exe, 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: hXGmUcb.exe, 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: hXGmUcb.exe, 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dnshost.exe, 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dnshost.exe, 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dnshost.exe, 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLog
      Source: dnshost.exe, 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dnshost.exe, 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.3579970.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.3579970.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4f20000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.PROOF OF PAYMENT.scr.exe.4f20000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.1719041466.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1716851418.0000000003579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		112
      Process Injection      		2
      Masquerading      		11
      Input Capture      		111
      Security Software Discovery      		Remote Services11
      Input Capture      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		1
      Scheduled Task/Job      		11
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		1
      Non-Standard Port      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Remote Access Software      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		112
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture1
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeylogging21
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Hidden Files and Directories      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
      Obfuscated Files or Information      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
      Software Packing      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      DLL Side-Loading      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431488 Sample: PROOF OF PAYMENT.scr.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 18 other signatures 2->76 7 PROOF OF PAYMENT.scr.exe 7 2->7         started        11 hXGmUcb.exe 5 2->11         started        13 dnshost.exe 2->13         started        process3 file4 54 C:\Users\user\AppData\Roaming\hXGmUcb.exe, PE32 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp314F.tmp, XML 7->56 dropped 78 Detected Nanocore Rat 7->78 80 Adds a directory exclusion to Windows Defender 7->80 82 Injects a PE file into a foreign processes 7->82 15 PROOF OF PAYMENT.scr.exe 1 10 7->15         started        20 powershell.exe 22 7->20         started        22 powershell.exe 23 7->22         started        34 3 other processes 7->34 84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 24 hXGmUcb.exe 11->24         started        26 schtasks.exe 11->26         started        28 dnshost.exe 13->28         started        30 schtasks.exe 13->30         started        32 dnshost.exe 13->32         started        signatures5 process6 dnsIp7 58 amechi.duckdns.org 15->58 60 amechi.duckdns.org 45.95.169.113, 3190, 49735, 49736 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 15->60 50 C:\Program Files (x86)\DNS Host\dnshost.exe, PE32 15->50 dropped 52 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->52 dropped 62 Detected Nanocore Rat 15->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->64 36 WerFault.exe 15->36         started        66 Loading BitLocker PowerShell Module 20->66 38 conhost.exe 20->38         started        40 WmiPrvSE.exe 20->40         started        42 conhost.exe 22->42         started        44 conhost.exe 26->44         started        46 conhost.exe 30->46         started        48 conhost.exe 34->48         started        file8 68 Uses dynamic DNS services 58->68 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PROOF OF PAYMENT.scr.exe28%VirustotalBrowse
      PROOF OF PAYMENT.scr.exe13%ReversingLabsWin32.Trojan.Generic
      PROOF OF PAYMENT.scr.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\hXGmUcb.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DNS Host\dnshost.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DNS Host\dnshost.exe13%ReversingLabsWin32.Trojan.Generic
      C:\Program Files (x86)\DNS Host\dnshost.exe28%VirustotalBrowse
      C:\Users\user\AppData\Roaming\hXGmUcb.exe13%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Roaming\hXGmUcb.exe28%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      amechi.duckdns.org13%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      amechi.duckdns.org100%Avira URL Cloudmalware
      http://www.founder.com.cn/cn0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
      http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
      amechi.duckdns.org13%VirustotalBrowse
      http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
      http://www.founder.com.cn/cn0%VirustotalBrowse
      http://www.zhongyicts.com.cn1%VirustotalBrowse
      http://www.founder.com.cn/cn/bThe0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      amechi.duckdns.org
      		45.95.169.113
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      amechi.duckdns.orgtrue
      • 13%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.comPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.fontbureau.com/designersGPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bThePROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers?PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.tiro.comPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://upx.sf.netAmcache.hve.27.drfalse
                  		high
                  http://www.fontbureau.com/designersPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.goodfont.co.krPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cThePROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fonts.comPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleasePROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePROOF OF PAYMENT.scr.exe, 00000000.00000002.1715877322.00000000025DD000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, hXGmUcb.exe, 0000000B.00000002.1808923412.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000011.00000002.1898089086.0000000002791000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sakkal.comPROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              45.95.169.113
                              		amechi.duckdns.orgCroatia (LOCAL Name: Hrvatska)
                              		42864GIGANET-HUGigaNetInternetServiceProviderCoHUtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1431488
                              Start date and time:2024-04-25 10:06:08 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 10m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:29
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:PROOF OF PAYMENT.scr.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@32/26@14/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 129
                              • Number of non-executed functions: 13
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.42.73.29
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:07:01Task SchedulerRun new task: hXGmUcb path: C:\Users\user\AppData\Roaming\hXGmUcb.exe
                              09:07:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe
                              10:06:54API Interceptor324932x Sleep call for process: PROOF OF PAYMENT.scr.exe modified
                              10:07:00API Interceptor32x Sleep call for process: powershell.exe modified
                              10:07:02API Interceptor1x Sleep call for process: hXGmUcb.exe modified
                              10:07:13API Interceptor1x Sleep call for process: dnshost.exe modified
                              10:09:35API Interceptor1x Sleep call for process: WerFault.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              45.95.169.113Documento_Remisorio_Activo_N#8475684756..exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                DRsredYZxAGet hashmaliciousUnknownBrowse
                                  HklThtI5xYGet hashmaliciousMiraiBrowse
                                    ZmE7zvQ5H0Get hashmaliciousUnknownBrowse
                                      T2dACD6noWGet hashmaliciousMiraiBrowse
                                        x86Get hashmaliciousMiraiBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          amechi.duckdns.orgSecuriteInfo.com.Trojan.Inject4.59820.27455.12514.exeGet hashmaliciousNanocoreBrowse
                                          • 194.147.140.141
                                          PROOF_OF_PAYMENT.exeGet hashmaliciousNanocoreBrowse
                                          • 103.212.81.155
                                          PROOF_OF_PAYMENT.exeGet hashmaliciousNanocoreBrowse
                                          • 103.212.81.155
                                          PROOF OF PAYMENT.exeGet hashmaliciousNanocore, AsyncRAT, FormBookBrowse
                                          • 194.5.98.222
                                          SecuriteInfo.com.Variant.Ursu.376472.15031.exeGet hashmaliciousNanocoreBrowse
                                          • 194.5.98.222
                                          pop.exeGet hashmaliciousNanocoreBrowse
                                          • 194.5.98.222
                                          TT PAYMENT SLIP.exeGet hashmaliciousNanocore AgentTesla gzRatBrowse
                                          • 194.5.98.222
                                          PROOF_OF.EXEGet hashmaliciousNanocore gzRatBrowse
                                          • 194.5.98.222
                                          PROOF OF PAYMENT.exeGet hashmaliciousNanocore AgentTeslaBrowse
                                          • 194.5.98.222
                                          PAYMENT.exeGet hashmaliciousNanocoreBrowse
                                          • 185.244.30.45

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          GIGANET-HUGigaNetInternetServiceProviderCoHUDocumento_Remisorio_Activo_N#8475684756..exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                          • 45.95.169.113
                                          pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • 45.9.168.238
                                          payment_Adv.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 45.95.169.12
                                          nune4wRXO1.elfGet hashmaliciousMirai, GafgytBrowse
                                          • 45.95.169.102
                                          M3VAQtY4jqGyrtO.exeGet hashmaliciousAgentTeslaBrowse
                                          • 45.95.168.74
                                          SecuriteInfo.com.Win32.PWSX-gen.9989.30951.exeGet hashmaliciousAgentTeslaBrowse
                                          • 45.95.168.74
                                          GN54VPHV1Q.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 45.95.169.103
                                          tXgBFr4DQ1.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 45.95.169.103
                                          vtuxAlLJXO.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 45.95.169.103
                                          jFAsTk5xgd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 45.95.169.103

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\DNS Host\dnshost.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):686080
                                          Entropy (8bit):7.939628470038495
                                          Encrypted:false
                                          SSDEEP:12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
                                          MD5:11B19B59F657910F0AF49721A77BC2DD
                                          SHA1:3078779D892BD96E5DFDDB76D491F52EEFD39A2D
                                          SHA-256:C03858657307A20F2DA776BA010C76495276E80306C19B70F44342C8BCAECE85
                                          SHA-512:DE92458ACC1341BD5DB1CA3F5542339C5E06DAC938903EFC9C9EECA234058A92FB1E99BDB94C547A7126DFE033C300BEB5A8EF3CA63DCB61BB6DBD397B7602E2
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 13%
                                          • Antivirus: Virustotal, Detection: 28%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0..P... .......n... ........@.. ....................................`..................................m..O.................................................................................... ............... ..H............text...0N... ...P.................. ..`.rsrc................X..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:false
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PROOF OF PAYMENT_eefe40cec38f9f35cfd4406c6dd1963f08220_2336c1dd_455e0c01-259e-4cc2-a1a3-06a3a147f533\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.1486439221422495
                                          Encrypted:false
                                          SSDEEP:192:9ktXxMN0MLLHzKla6U+mZgAmzuiFj4Z24IO83U:qthMOMHHulaTgAmzuiFkY4IO83
                                          MD5:8F18F41A8B958B278463CCFDC8736827
                                          SHA1:9C3BB4C077277C8FDC5B77805B508FFC67CDFE13
                                          SHA-256:09A64F643AFD1E9F3E7AB78AF6923575F1891856E8A981CBCA42CB426A68163D
                                          SHA-512:9ECD43BAFF75FE1F82DA35999B940B69E6D80CE60500D0C17214389C4CCA35A239F4A8FFD4845074AB100D86FB54424E0D5975C827B641FCFF734C3DF58E8818
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.0.6.1.1.5.5.2.8.5.9.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.0.6.1.6.5.3.7.2.3.5.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.5.e.0.c.0.1.-.2.5.9.e.-.4.c.c.2.-.a.1.a.3.-.0.6.a.3.a.1.4.7.f.5.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.e.0.c.1.8.8.-.f.f.5.7.-.4.4.b.6.-.b.4.e.d.-.1.6.6.b.8.4.7.f.d.4.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.R.O.O.F. .O.F. .P.A.Y.M.E.N.T...s.c.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.L.a.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.c.-.0.0.0.1.-.0.0.1.4.-.3.d.6.2.-.f.f.8.c.e.7.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.b.3.d.7.6.9.e.6.3.e.7.c.2.e.c.a.8.b.0.6.a.c.2.0.a.e.c.6.7.3.9.0.0.0.0.0.0.0.0.!.0.0.0.0.3.0.7.8.7.7.9.d.8.9.2.b.d.9.6.e.5.d.f.d.d.b.7.6.d.4.9.1.f.5.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4115.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):6360
                                          Entropy (8bit):3.727360634541851
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJ4d6kY4JKMeKbpDM89bbGsfPLpm:R6lXJC6kY4JKUXblfPo
                                          MD5:086E54018286D459EF169DDBB85B5F14
                                          SHA1:571A6EC00E884B2809784E4488E093B673B4F744
                                          SHA-256:C4C73D9109E64729731EB2799B1DEEBAA6D408BAFB028EF5E9D441D245F4D053
                                          SHA-512:08CCDCFF1B5141C154441ECADF5E5888F267B5FFE3377B6412BA0857163F4F4128AE233840ACD36E9DB1606DC0D3952AF505C419ACABB5681185C6F9AE717432
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.0.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4165.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4693
                                          Entropy (8bit):4.5079422393470985
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsKJg77aI9lqWpW8VYmyYm8M4Jwh9HNVFA+q8k9H3Bzy5c6dnKd:uIjfYI7DL7VLJwnH63H5mpKd
                                          MD5:2F012DC2DCA46965960536D2E7B16485
                                          SHA1:130FDEC75704AAE2D3FCF2D52C038DAD43A1F0F4
                                          SHA-256:457197771E6CC9C165DC755BCA0402B015408E1D57299FC3E5CD083121D83A1F
                                          SHA-512:280755A3655F21FBBB073991320F23186FFAFE7F8FFE1125F61FCCFAE048320C7E967F5CF8D2F449F6487CC4C45A1039E79099DBEFFF1BAEF089C9905B9AB330
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295152" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F8A.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 15 streams, Thu Apr 25 08:09:24 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):1412121
                                          Entropy (8bit):4.7705692666385815
                                          Encrypted:false
                                          SSDEEP:24576:E+0TFxllb36hDS28Qu6I0OcsK33X3D1uKyozPbb:K6xs+b
                                          MD5:5F50FE3F9767D714AB6C451CD9061122
                                          SHA1:DC2C321FFD4C68209876C835ECFEC99242FB8F36
                                          SHA-256:D5A6F297A8F4DA3EFBA623505133B32E10079C66234FF322B6DF0D58E96D9772
                                          SHA-512:2D1C01009FC5CE67E0E70B7CF986EADF3A44BDADD8D80809B7EC0A562EFD68E63073473B86003CDE608789E6A666C7E709AAA0A0277E88FC941D6CBCE8B25F9A
                                          Malicious:false
                                          Preview:MDMP..a..... .........*f........................ ...........$....'......t/..$k..........`.......8...........T............H...D...........'...........)..............................................................................eJ......p*......GenuineIntel............T...........$.*f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.scr.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log

                                          Download File
                                          Process:C:\Program Files (x86)\DNS Host\dnshost.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hXGmUcb.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\hXGmUcb.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.380805901110357
                                          Encrypted:false
                                          SSDEEP:48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMRvUyus:lGLHxvCZfIfSKRHmOugras
                                          MD5:B566876512A578ADB569A5544D0B32B4
                                          SHA1:6532D9F859802B4B54268DA12FF0B4B43B5AA18D
                                          SHA-256:6F50BCB942EE5C98EA29B25043E48B52B1400AB41DA4BBE32F6584BA0F5E7F20
                                          SHA-512:41BAF585B968A626079BEFC634F9ECC14559475076D7B0309A810B12B04C5F584952448923951F4D1B1D9BCE9BB9E1FCC549348827D0731625035F3E32BC4173
                                          Malicious:false
                                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_255fx522.fjc.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atu13qqa.nsx.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj0qml3l.owb.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkpnrcjz.e1z.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qurb4ie0.5y5.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ert0ed.i0s.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4p5g4go.qzk.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt00oka0.5fa.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmp314F.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1573
                                          Entropy (8bit):5.112658642476474
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaFxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT0v
                                          MD5:88B472B076812472F5B4858EB9C54F39
                                          SHA1:0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED
                                          SHA-256:8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
                                          SHA-512:8EB0BDA5519BD68BBF7269766371947B150A1096E54614C33CA83DB93BF8D220BFC84CF22F55B4DBB6624125B9732D59B46AE44F1EDE281138EC707468ACE583
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                          C:\Users\user\AppData\Local\Temp\tmp5513.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\hXGmUcb.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1573
                                          Entropy (8bit):5.112658642476474
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaFxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT0v
                                          MD5:88B472B076812472F5B4858EB9C54F39
                                          SHA1:0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED
                                          SHA-256:8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
                                          SHA-512:8EB0BDA5519BD68BBF7269766371947B150A1096E54614C33CA83DB93BF8D220BFC84CF22F55B4DBB6624125B9732D59B46AE44F1EDE281138EC707468ACE583
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                          C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp

                                          Download File
                                          Process:C:\Program Files (x86)\DNS Host\dnshost.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1573
                                          Entropy (8bit):5.112658642476474
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaFxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT0v
                                          MD5:88B472B076812472F5B4858EB9C54F39
                                          SHA1:0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED
                                          SHA-256:8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
                                          SHA-512:8EB0BDA5519BD68BBF7269766371947B150A1096E54614C33CA83DB93BF8D220BFC84CF22F55B4DBB6624125B9732D59B46AE44F1EDE281138EC707468ACE583
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                          C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):232
                                          Entropy (8bit):7.089541637477408
                                          Encrypted:false
                                          SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                                          MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                                          SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                                          SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                                          SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                                          Malicious:false
                                          Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

                                          C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:ISO-8859 text, with no line terminators
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:CV:G
                                          MD5:A60378C17C1F6D6CB6CFFBB7219FE6A1
                                          SHA1:9E08241101C1F89557448FC4FDD401DC35B06C09
                                          SHA-256:E3A0D5A82AB7419C91C9C6A32BF07461BA802E93EF2F1CE665FC8E15A541ED96
                                          SHA-512:8E6E297AEC84E672CBFE13A2B962298B794CEED54C7E3789154A8A1705D2AF10D1FF54C4699BCA5CA9C68E6BC1ABC2CF78A0B0A953D220395FD8A60B42AEDF03
                                          Malicious:true
                                          Preview:.c...d.H

                                          C:\Users\user\AppData\Roaming\hXGmUcb.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):686080
                                          Entropy (8bit):7.939628470038495
                                          Encrypted:false
                                          SSDEEP:12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
                                          MD5:11B19B59F657910F0AF49721A77BC2DD
                                          SHA1:3078779D892BD96E5DFDDB76D491F52EEFD39A2D
                                          SHA-256:C03858657307A20F2DA776BA010C76495276E80306C19B70F44342C8BCAECE85
                                          SHA-512:DE92458ACC1341BD5DB1CA3F5542339C5E06DAC938903EFC9C9EECA234058A92FB1E99BDB94C547A7126DFE033C300BEB5A8EF3CA63DCB61BB6DBD397B7602E2
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 13%
                                          • Antivirus: Virustotal, Detection: 28%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0..P... .......n... ........@.. ....................................`..................................m..O.................................................................................... ............... ..H............text...0N... ...P.................. ..`.rsrc................X..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\hXGmUcb.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:false
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.46568032527505
                                          Encrypted:false
                                          SSDEEP:6144:KIXfpi67eLPU9skLmb0b40WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbD:/XD940WlLZMM6YFHa+D
                                          MD5:5066D8F6188A08CFAA3E0029322613DF
                                          SHA1:49D2D07A298E9B60768A137BF28D709247C46C96
                                          SHA-256:0655D9CA2791FF02170B006D1D0669FD5B6E8B841F3BC85F7E3413F0646DA06B
                                          SHA-512:6BDF7B445D81FF750262FA2C77F4712136E79FB648A63048E9995159AC9400F7C617DF767CC8CB1FB9D76763F4C59191303BE6A76B4418AC09379D1747F507F7
                                          Malicious:false
                                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz`4................................................................................................................................................................................................................................................................................................................................................;l".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.939628470038495
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          File name:PROOF OF PAYMENT.scr.exe
                                          File size:686'080 bytes
                                          MD5:11b19b59f657910f0af49721a77bc2dd
                                          SHA1:3078779d892bd96e5dfddb76d491f52eefd39a2d
                                          SHA256:c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
                                          SHA512:de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2
                                          SSDEEP:12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
                                          TLSH:1FE4225172DCCBA7FD394FB804A1102057F9ED207935E33A2AC591CC5B6BBC64821AAF
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0..P... .......n... ........@.. ....................................`................................

                                          File Icon

                                          Icon Hash:c14e4c4c4c4c4f41

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a6e0a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6629F094 [Thu Apr 25 05:56:36 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          xor eax, 35455354h
                                          xor dword ptr [edi+eax*2], esi
                                          dec eax
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [ebx+4Ah], dl
                                          push ebx
                                          cmp byte ptr [eax+edi+34h], al
                                          inc ebx
                                          inc ebx
                                          xor al, 37h
                                          xor eax, 00000035h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa6db80x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x1008.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa4e300xa5000b237a46f22eb8e4f0f379f4607f6e5d2False0.9507442589962121data7.966591288732788IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa80000x10080x180043fcb3131130c7c66c6d659a59d0e88dFalse0.5413411458333334data5.084424939274159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xaa0000xc0x800cfd9b99a85533b395554b59f30c652d4False0.015625data0.02939680787012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xa80c80xc08PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9308441558441558
                                          RT_GROUP_ICON0xa8ce00x14data1.05
                                          RT_VERSION0xa8d040x300MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"0.4427083333333333

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          04/25/24-10:07:12.230926TCP2046914ET TROJAN NanoCore RAT CnC 7497363190192.168.2.445.95.169.113
                                          04/25/24-10:07:44.071335TCP2046914ET TROJAN NanoCore RAT CnC 7497463190192.168.2.445.95.169.113
                                          04/25/24-10:08:04.153977TCP2046917ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)31904975045.95.169.113192.168.2.4
                                          04/25/24-10:07:19.102498TCP2046914ET TROJAN NanoCore RAT CnC 7497433190192.168.2.445.95.169.113
                                          04/25/24-10:07:52.316693TCP2046914ET TROJAN NanoCore RAT CnC 7497473190192.168.2.445.95.169.113
                                          04/25/24-10:07:43.166059TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497463190192.168.2.445.95.169.113
                                          04/25/24-10:07:58.181438TCP2046914ET TROJAN NanoCore RAT CnC 7497493190192.168.2.445.95.169.113
                                          04/25/24-10:07:37.344999TCP2046914ET TROJAN NanoCore RAT CnC 7497453190192.168.2.445.95.169.113
                                          04/25/24-10:07:04.775638TCP2046914ET TROJAN NanoCore RAT CnC 7497353190192.168.2.445.95.169.113
                                          04/25/24-10:08:32.065581TCP2046917ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)31904975545.95.169.113192.168.2.4
                                          04/25/24-10:08:15.746456TCP2046914ET TROJAN NanoCore RAT CnC 7497523190192.168.2.445.95.169.113
                                          04/25/24-10:07:26.388769TCP2046914ET TROJAN NanoCore RAT CnC 7497443190192.168.2.445.95.169.113
                                          04/25/24-10:08:04.154158TCP2046914ET TROJAN NanoCore RAT CnC 7497503190192.168.2.445.95.169.113

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 25, 2024 10:07:02.638719082 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:03.113621950 CEST31904973545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:03.113889933 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:03.123375893 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:03.627260923 CEST31904973545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:03.627336025 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:04.304474115 CEST31904973545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:04.304596901 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:04.775558949 CEST31904973545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:04.775638103 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:05.368866920 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:05.463318110 CEST31904973545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:05.463401079 CEST497353190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:10.090799093 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:10.567576885 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:10.567646027 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:10.568161011 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:11.069838047 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:11.071860075 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:11.746608019 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:11.746675014 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:12.230855942 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:12.230926037 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:12.912636042 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:12.912708044 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:13.024640083 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:13.461246014 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:13.461460114 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:13.470782042 CEST31904973645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:13.470944881 CEST497363190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:17.182109118 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:17.665025949 CEST31904974345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:17.665159941 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:17.665827036 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:18.182715893 CEST31904974345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:18.182810068 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:19.102498055 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:19.607001066 CEST31904974345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:19.610073090 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:20.061218977 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:20.226171970 CEST31904974345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:20.226253033 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:20.234052896 CEST31904974345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:20.234123945 CEST497433190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:24.222790956 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:24.710899115 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:24.711000919 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:24.711409092 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:25.224386930 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:25.224474907 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:25.905313015 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:25.905407906 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:26.388672113 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:26.388768911 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:27.066214085 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:27.067970037 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:27.674882889 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:27.675165892 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:27.675268888 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:28.010798931 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:28.170140982 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:28.170262098 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:28.170732021 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:28.170805931 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:28.170891047 CEST31904974445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:28.170954943 CEST497443190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:32.167135000 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:33.180706024 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:35.180666924 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:35.655010939 CEST31904974545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:35.655102968 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:35.655457020 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:36.168452978 CEST31904974545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:36.168564081 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:36.847554922 CEST31904974545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:36.847631931 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:37.344863892 CEST31904974545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:37.344999075 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:38.009160995 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:38.022255898 CEST31904974545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:38.022319078 CEST497453190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:42.184803963 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:42.661257982 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:42.661427021 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:42.661802053 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:43.165920973 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:43.166059017 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:44.071335077 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:44.555130005 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:44.567331076 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:44.570039034 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:45.036354065 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:45.193768024 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:45.193871021 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:45.194181919 CEST31904974645.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:45.194238901 CEST497463190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:49.182972908 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:50.180672884 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:50.662939072 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:50.663043022 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:50.663352966 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:51.164581060 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:51.164746046 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:51.837591887 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:51.837677002 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:52.316605091 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:52.316693068 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:53.017662048 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:53.018340111 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:53.055803061 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:53.604907036 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:53.605072975 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:53.607000113 CEST31904974745.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:53.607053041 CEST497473190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:57.183785915 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:57.671299934 CEST31904974945.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:57.671535015 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:57.671798944 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:58.181241989 CEST31904974945.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:58.181437969 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:58.868716002 CEST31904974945.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:58.868805885 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:59.055917025 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:07:59.355983973 CEST31904974945.95.169.113192.168.2.4
                                          Apr 25, 2024 10:07:59.356086016 CEST497493190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:03.187443018 CEST497503190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:03.667001963 CEST31904975045.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:03.667078972 CEST497503190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:03.667486906 CEST497503190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:04.153976917 CEST31904975045.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:04.154158115 CEST497503190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:05.056025028 CEST497503190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:09.186526060 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:09.656395912 CEST31904975145.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:09.656639099 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:09.656841040 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:10.178013086 CEST31904975145.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:10.178349018 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:10.571501970 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:11.061100960 CEST31904975145.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:11.061285019 CEST497513190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:14.699559927 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:15.177495956 CEST31904975245.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:15.177711010 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:15.177882910 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:15.746381044 CEST31904975245.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:15.746455908 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:16.420348883 CEST31904975245.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:16.420450926 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:16.587033987 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:16.929205894 CEST31904975245.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:16.929296017 CEST497523190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:20.716276884 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:21.201823950 CEST31904975345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:21.202008963 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:21.202366114 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:21.736639023 CEST31904975345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:21.737004042 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:21.963130951 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:22.226015091 CEST31904975345.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:22.226125002 CEST497533190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:26.122052908 CEST497543190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:26.589687109 CEST31904975445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:26.589818954 CEST497543190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:26.590146065 CEST497543190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:26.978637934 CEST497543190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:27.091622114 CEST31904975445.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:27.091895103 CEST497543190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:31.105689049 CEST497553190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:31.579899073 CEST31904975545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:31.579993963 CEST497553190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:31.580306053 CEST497553190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:31.993406057 CEST497553190192.168.2.445.95.169.113
                                          Apr 25, 2024 10:08:32.065581083 CEST31904975545.95.169.113192.168.2.4
                                          Apr 25, 2024 10:08:32.067995071 CEST497553190192.168.2.445.95.169.113

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 25, 2024 10:07:02.479727983 CEST5533053192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:02.620145082 CEST53553308.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:09.979945898 CEST5157653192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:10.090296984 CEST53515768.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:17.041346073 CEST6085353192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:17.181492090 CEST53608538.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:24.072782040 CEST5184953192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:24.222127914 CEST53518498.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:32.025840998 CEST5793553192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:32.166511059 CEST53579358.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:42.025839090 CEST6536053192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:42.183904886 CEST53653608.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:49.042040110 CEST5830553192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:49.182323933 CEST53583058.8.8.8192.168.2.4
                                          Apr 25, 2024 10:07:57.072628021 CEST6227153192.168.2.48.8.8.8
                                          Apr 25, 2024 10:07:57.183244944 CEST53622718.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:03.072805882 CEST5405753192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:03.186644077 CEST53540578.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:09.075011969 CEST5772053192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:09.185825109 CEST53577208.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:14.588280916 CEST5917153192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:14.698827982 CEST53591718.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:20.604998112 CEST5119453192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:20.715656996 CEST53511948.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:25.978939056 CEST5857953192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:26.121367931 CEST53585798.8.8.8192.168.2.4
                                          Apr 25, 2024 10:08:30.994498014 CEST5932953192.168.2.48.8.8.8
                                          Apr 25, 2024 10:08:31.104964972 CEST53593298.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Apr 25, 2024 10:07:02.479727983 CEST192.168.2.48.8.8.80x81eeStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:09.979945898 CEST192.168.2.48.8.8.80x3e82Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:17.041346073 CEST192.168.2.48.8.8.80xd88eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:24.072782040 CEST192.168.2.48.8.8.80x2327Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:32.025840998 CEST192.168.2.48.8.8.80x8a9eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:42.025839090 CEST192.168.2.48.8.8.80xac70Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:49.042040110 CEST192.168.2.48.8.8.80x9523Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:57.072628021 CEST192.168.2.48.8.8.80x3f3aStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:03.072805882 CEST192.168.2.48.8.8.80xad69Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:09.075011969 CEST192.168.2.48.8.8.80x440eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:14.588280916 CEST192.168.2.48.8.8.80x5557Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:20.604998112 CEST192.168.2.48.8.8.80x16a7Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:25.978939056 CEST192.168.2.48.8.8.80x48f3Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:30.994498014 CEST192.168.2.48.8.8.80xe87eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Apr 25, 2024 10:07:02.620145082 CEST8.8.8.8192.168.2.40x81eeNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:10.090296984 CEST8.8.8.8192.168.2.40x3e82No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:17.181492090 CEST8.8.8.8192.168.2.40xd88eNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:24.222127914 CEST8.8.8.8192.168.2.40x2327No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:32.166511059 CEST8.8.8.8192.168.2.40x8a9eNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:42.183904886 CEST8.8.8.8192.168.2.40xac70No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:49.182323933 CEST8.8.8.8192.168.2.40x9523No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:07:57.183244944 CEST8.8.8.8192.168.2.40x3f3aNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:03.186644077 CEST8.8.8.8192.168.2.40xad69No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:09.185825109 CEST8.8.8.8192.168.2.40x440eNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:14.698827982 CEST8.8.8.8192.168.2.40x5557No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:20.715656996 CEST8.8.8.8192.168.2.40x16a7No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:26.121367931 CEST8.8.8.8192.168.2.40x48f3No error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false
                                          Apr 25, 2024 10:08:31.104964972 CEST8.8.8.8192.168.2.40xe87eNo error (0)amechi.duckdns.org45.95.169.113A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:10:06:52
                                          Start date:25/04/2024
                                          Path:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
                                          Imagebase:0x160000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1719041466.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1716851418.0000000003579000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:10:06:59
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
                                          Imagebase:0x160000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:10:06:59
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:10:06:59
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
                                          Imagebase:0x160000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"
                                          Imagebase:0x8a0000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
                                          Imagebase:0x3a0000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
                                          Imagebase:0xa0000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:10:07:00
                                          Start date:25/04/2024
                                          Path:C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
                                          Imagebase:0xc50000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:10:07:01
                                          Start date:25/04/2024
                                          Path:C:\Users\user\AppData\Roaming\hXGmUcb.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\hXGmUcb.exe
                                          Imagebase:0x370000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 13%, ReversingLabs
                                          • Detection: 28%, Virustotal, Browse
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:10:07:02
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff693ab0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:10:07:09
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"
                                          Imagebase:0x8a0000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:10:07:09
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:10:07:10
                                          Start date:25/04/2024
                                          Path:C:\Users\user\AppData\Roaming\hXGmUcb.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\hXGmUcb.exe"
                                          Imagebase:0x730000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:10:07:12
                                          Start date:25/04/2024
                                          Path:C:\Program Files (x86)\DNS Host\dnshost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\DNS Host\dnshost.exe"
                                          Imagebase:0x2d0000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 13%, ReversingLabs
                                          • Detection: 28%, Virustotal, Browse
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:10:07:18
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
                                          Imagebase:0x8a0000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:10:07:18
                                          Start date:25/04/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:10:07:19
                                          Start date:25/04/2024
                                          Path:C:\Program Files (x86)\DNS Host\dnshost.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files (x86)\DNS Host\dnshost.exe"
                                          Imagebase:0x3d0000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:10:07:19
                                          Start date:25/04/2024
                                          Path:C:\Program Files (x86)\DNS Host\dnshost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\DNS Host\dnshost.exe"
                                          Imagebase:0x910000
                                          File size:686'080 bytes
                                          MD5 hash:11B19B59F657910F0AF49721A77BC2DD
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:10:08:35
                                          Start date:25/04/2024
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560
                                          Imagebase:0x760000
                                          File size:483'680 bytes
                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:126
                                            Total number of Limit Nodes:9
                                            execution_graph 26518 2470b06 26523 6e2d140 26518->26523 26527 6e2d148 26518->26527 26519 247087a 26519->26518 26520 2470e2a 26519->26520 26524 6e2d193 ReadProcessMemory 26523->26524 26526 6e2d1d7 26524->26526 26526->26519 26528 6e2d193 ReadProcessMemory 26527->26528 26530 6e2d1d7 26528->26530 26530->26519 26586 6e29e47 26587 6e29e57 26586->26587 26591 6e2c588 26587->26591 26595 6e2c598 26587->26595 26588 6e29e9a 26592 6e2c5cb 26591->26592 26593 6e2c639 26592->26593 26594 6e2c9d0 ResumeThread 26592->26594 26593->26588 26594->26593 26596 6e2c5cb 26595->26596 26597 6e2c639 26596->26597 26598 6e2c9d0 ResumeThread 26596->26598 26597->26588 26598->26597 26599 251b478 26602 251b55f 26599->26602 26600 251b487 26603 251b581 26602->26603 26604 251b5a4 26602->26604 26603->26604 26610 251b7f8 26603->26610 26614 251b808 26603->26614 26604->26600 26605 251b59c 26605->26604 26606 251b7a8 GetModuleHandleW 26605->26606 26607 251b7d5 26606->26607 26607->26600 26611 251b81c 26610->26611 26612 251b841 26611->26612 26618 251afb0 26611->26618 26612->26605 26615 251b81c 26614->26615 26616 251b841 26615->26616 26617 251afb0 LoadLibraryExW 26615->26617 26616->26605 26617->26616 26619 251b9e8 LoadLibraryExW 26618->26619 26621 251ba61 26619->26621 26621->26612 26622 251d7f8 26623 251d83e 26622->26623 26626 251d9d8 26623->26626 26629 251d0e0 26626->26629 26630 251da40 DuplicateHandle 26629->26630 26631 251d92b 26630->26631 26632 24705a9 26639 6e2cf91 26632->26639 26643 6e2cf98 26632->26643 26633 24705c7 26635 6e2d051 WriteProcessMemory 26633->26635 26636 6e2d058 WriteProcessMemory 26633->26636 26634 2470f16 26635->26634 26636->26634 26640 6e2cfd8 VirtualAllocEx 26639->26640 26642 6e2d015 26640->26642 26642->26633 26644 6e2cfd8 VirtualAllocEx 26643->26644 26646 6e2d015 26644->26646 26646->26633 26647 2470728 26648 247072e 26647->26648 26650 6e2d051 WriteProcessMemory 26648->26650 26651 6e2d058 WriteProcessMemory 26648->26651 26649 2470f16 26650->26649 26651->26649 26652 2470474 26654 24703b0 26652->26654 26653 2470463 26654->26653 26658 6e2d2e0 26654->26658 26662 6e2d2d5 26654->26662 26659 6e2d369 CreateProcessA 26658->26659 26661 6e2d52b 26659->26661 26663 6e2d369 26662->26663 26663->26663 26664 6e2d4ce CreateProcessA 26663->26664 26665 6e2d52b 26664->26665 26531 2470690 26535 6e2d051 26531->26535 26539 6e2d058 26531->26539 26532 247064c 26536 6e2d0a0 WriteProcessMemory 26535->26536 26538 6e2d0f7 26536->26538 26538->26532 26540 6e2d0a0 WriteProcessMemory 26539->26540 26542 6e2d0f7 26540->26542 26542->26532 26543 2470e9e 26544 2470ea5 26543->26544 26545 2470e30 26543->26545 26549 6e2c9d0 26545->26549 26554 6e2c9d8 26545->26554 26546 2470e5c 26550 6e2c9d6 ResumeThread 26549->26550 26551 6e2c99d 26549->26551 26553 6e2ca49 26550->26553 26551->26546 26553->26546 26555 6e2ca18 ResumeThread 26554->26555 26557 6e2ca49 26555->26557 26557->26546 26558 2470d9e 26562 6e2ca80 26558->26562 26566 6e2ca88 26558->26566 26559 2470db8 26563 6e2cacd Wow64SetThreadContext 26562->26563 26565 6e2cb15 26563->26565 26565->26559 26567 6e2cacd Wow64SetThreadContext 26566->26567 26569 6e2cb15 26567->26569 26569->26559 26666 2514668 26667 251467a 26666->26667 26668 2514686 26667->26668 26670 2514778 26667->26670 26671 251479d 26670->26671 26675 2514879 26671->26675 26679 2514888 26671->26679 26677 25148af 26675->26677 26676 251498c 26677->26676 26683 25144e4 26677->26683 26681 25148af 26679->26681 26680 251498c 26680->26680 26681->26680 26682 25144e4 CreateActCtxA 26681->26682 26682->26680 26684 2515918 CreateActCtxA 26683->26684 26686 25159db 26684->26686 26570 2470b9c 26572 6e2d051 WriteProcessMemory 26570->26572 26573 6e2d058 WriteProcessMemory 26570->26573 26571 2470bca 26572->26571 26573->26571 26574 247099c 26576 6e2ca80 Wow64SetThreadContext 26574->26576 26577 6e2ca88 Wow64SetThreadContext 26574->26577 26575 247053d 26576->26575 26577->26575 26578 2471658 26579 24717e3 26578->26579 26581 247167e 26578->26581 26581->26579 26582 2471164 26581->26582 26583 24718d8 PostMessageW 26582->26583 26585 2471944 26583->26585 26585->26581

                                            Executed Functions

                                            Function 02471E60 Relevance: .3, Instructions: 336COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 626e527f520bf3c9bed6412b24eca4860b2ee0879fe8b112803d05bcced55d50
                                            • Instruction ID: f30af82592bbd9ec799843130e083b417e3c4c964c189973f856b78c2c11997c
                                            • Opcode Fuzzy Hash: 626e527f520bf3c9bed6412b24eca4860b2ee0879fe8b112803d05bcced55d50
                                            • Instruction Fuzzy Hash: B0C1B9307017418FEB2AEB76C460BAEB7E7AF89704F14446ED55A9B390DB74E902CB11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02470308 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38f792c7c8f33468da7b14fdb01f1df7af2b50545207ee3866bcd6e26bb72db6
                                            • Instruction ID: c541ced1622a851546974da6b4df4b93fe8b3e375a303e163a941e8804124710
                                            • Opcode Fuzzy Hash: 38f792c7c8f33468da7b14fdb01f1df7af2b50545207ee3866bcd6e26bb72db6
                                            • Instruction Fuzzy Hash: 21611671D45229CBDB28CF66CC407EDBBB6BF89300F14E1AAD519A6254EB705AC6CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2089F Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f35da1ff6dc7193d68d7f3191d665ba5666d447ba8100c209582f2bcde5b17e4
                                            • Instruction ID: fa00436012879d4343094b88f1b7c47828679a5d9a0fd9aa03ae19793e9726b1
                                            • Opcode Fuzzy Hash: f35da1ff6dc7193d68d7f3191d665ba5666d447ba8100c209582f2bcde5b17e4
                                            • Instruction Fuzzy Hash: B9513A75E0521ADFDB44CFA6D4456EEBBF3EF88310F20A42AD416A7394D7789A018F90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E208B0 Relevance: .1, Instructions: 142COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a2308e7d8b9803d6b3de9519bad9d97d7f5a3940d92a3c893c4fa975f31de13
                                            • Instruction ID: 7be70531d4d580a3a2d76f74b864397ec891ca1d6be6909d037f64d3de216e07
                                            • Opcode Fuzzy Hash: 5a2308e7d8b9803d6b3de9519bad9d97d7f5a3940d92a3c893c4fa975f31de13
                                            • Instruction Fuzzy Hash: 79513874E0521ACFDB44CFA6D4456EEBBF2EF88310F10A42AD416A7294D7789A018F90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E27558 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9b02d34b6548d714904ff25286d3e672666d56093eafd2893fcdcfa744aeed0
                                            • Instruction ID: 5ccfe4c924bb390dbabcc2e7459a55b9676e4b1621a01dcbc26ad20a59007f6c
                                            • Opcode Fuzzy Hash: f9b02d34b6548d714904ff25286d3e672666d56093eafd2893fcdcfa744aeed0
                                            • Instruction Fuzzy Hash: C82128B0D056298BEB58CFA6C9143DEFBF7BF89300F14D06AD40866254DB74094A8F90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E27568 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37cf359c2e0fa5887f4fd365e6c38311d9f9999216b6ccb06ff1357f9b210061
                                            • Instruction ID: bd5ca2159b9d88890386710242442eb738756b0ab69922bb784ae080209756dd
                                            • Opcode Fuzzy Hash: 37cf359c2e0fa5887f4fd365e6c38311d9f9999216b6ccb06ff1357f9b210061
                                            • Instruction Fuzzy Hash: 7B21E3B0D046298BEB58CFABC9447EEFAF7AFC8300F14D02AD40966254DB74094A8F90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02470586 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2e95f9dbb3f13a61e51df9c1fc849f8a923cdbfa41cf37e4a156c85e732cfac
                                            • Instruction ID: bc5255f59be7d8a84215b0726fefca706c83b750d67bed03edd5721c94352c84
                                            • Opcode Fuzzy Hash: d2e95f9dbb3f13a61e51df9c1fc849f8a923cdbfa41cf37e4a156c85e732cfac
                                            • Instruction Fuzzy Hash: B6D09E7889D21CCFC790DF64D8489F8B7BDAF4A310F4031A6C51EA3255DA7098C5CE05
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D2D5 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 341 6e2d2d5-6e2d375 343 6e2d377-6e2d381 341->343 344 6e2d3ae-6e2d3ce 341->344 343->344 345 6e2d383-6e2d385 343->345 349 6e2d3d0-6e2d3da 344->349 350 6e2d407-6e2d436 344->350 347 6e2d387-6e2d391 345->347 348 6e2d3a8-6e2d3ab 345->348 351 6e2d393 347->351 352 6e2d395-6e2d3a4 347->352 348->344 349->350 353 6e2d3dc-6e2d3de 349->353 360 6e2d438-6e2d442 350->360 361 6e2d46f-6e2d529 CreateProcessA 350->361 351->352 352->352 354 6e2d3a6 352->354 355 6e2d3e0-6e2d3ea 353->355 356 6e2d401-6e2d404 353->356 354->348 358 6e2d3ee-6e2d3fd 355->358 359 6e2d3ec 355->359 356->350 358->358 362 6e2d3ff 358->362 359->358 360->361 363 6e2d444-6e2d446 360->363 372 6e2d532-6e2d5b8 361->372 373 6e2d52b-6e2d531 361->373 362->356 365 6e2d448-6e2d452 363->365 366 6e2d469-6e2d46c 363->366 367 6e2d456-6e2d465 365->367 368 6e2d454 365->368 366->361 367->367 369 6e2d467 367->369 368->367 369->366 383 6e2d5ba-6e2d5be 372->383 384 6e2d5c8-6e2d5cc 372->384 373->372 383->384 385 6e2d5c0 383->385 386 6e2d5ce-6e2d5d2 384->386 387 6e2d5dc-6e2d5e0 384->387 385->384 386->387 390 6e2d5d4 386->390 388 6e2d5e2-6e2d5e6 387->388 389 6e2d5f0-6e2d5f4 387->389 388->389 391 6e2d5e8 388->391 392 6e2d606-6e2d60d 389->392 393 6e2d5f6-6e2d5fc 389->393 390->387 391->389 394 6e2d624 392->394 395 6e2d60f-6e2d61e 392->395 393->392 397 6e2d625 394->397 395->394 397->397
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06E2D516
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 8fd58f5cb5fbe710265a3380c3cbb014228c582a87fdff06a753c6e192fc4ab8
                                            • Instruction ID: bde0ae35ddb0d3992974837158be9ef29f25f25c240fd741493b4b271de01b5c
                                            • Opcode Fuzzy Hash: 8fd58f5cb5fbe710265a3380c3cbb014228c582a87fdff06a753c6e192fc4ab8
                                            • Instruction Fuzzy Hash: 28A13771D0032ACFDB64CF68C8407EDBBB2BF48314F1485A9E949A7290DB749985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D2E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 398 6e2d2e0-6e2d375 400 6e2d377-6e2d381 398->400 401 6e2d3ae-6e2d3ce 398->401 400->401 402 6e2d383-6e2d385 400->402 406 6e2d3d0-6e2d3da 401->406 407 6e2d407-6e2d436 401->407 404 6e2d387-6e2d391 402->404 405 6e2d3a8-6e2d3ab 402->405 408 6e2d393 404->408 409 6e2d395-6e2d3a4 404->409 405->401 406->407 410 6e2d3dc-6e2d3de 406->410 417 6e2d438-6e2d442 407->417 418 6e2d46f-6e2d529 CreateProcessA 407->418 408->409 409->409 411 6e2d3a6 409->411 412 6e2d3e0-6e2d3ea 410->412 413 6e2d401-6e2d404 410->413 411->405 415 6e2d3ee-6e2d3fd 412->415 416 6e2d3ec 412->416 413->407 415->415 419 6e2d3ff 415->419 416->415 417->418 420 6e2d444-6e2d446 417->420 429 6e2d532-6e2d5b8 418->429 430 6e2d52b-6e2d531 418->430 419->413 422 6e2d448-6e2d452 420->422 423 6e2d469-6e2d46c 420->423 424 6e2d456-6e2d465 422->424 425 6e2d454 422->425 423->418 424->424 426 6e2d467 424->426 425->424 426->423 440 6e2d5ba-6e2d5be 429->440 441 6e2d5c8-6e2d5cc 429->441 430->429 440->441 442 6e2d5c0 440->442 443 6e2d5ce-6e2d5d2 441->443 444 6e2d5dc-6e2d5e0 441->444 442->441 443->444 447 6e2d5d4 443->447 445 6e2d5e2-6e2d5e6 444->445 446 6e2d5f0-6e2d5f4 444->446 445->446 448 6e2d5e8 445->448 449 6e2d606-6e2d60d 446->449 450 6e2d5f6-6e2d5fc 446->450 447->444 448->446 451 6e2d624 449->451 452 6e2d60f-6e2d61e 449->452 450->449 454 6e2d625 451->454 452->451 454->454
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06E2D516
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: d1ae933ccc02dcaa30ea4f122d84530512688fc8a59cd9b14d1ee319fe012be7
                                            • Instruction ID: e4bc6bbcc599d2f7c7ac2fa2c918779fa8d7c7c9cdd7204ee0e714596a8a16e0
                                            • Opcode Fuzzy Hash: d1ae933ccc02dcaa30ea4f122d84530512688fc8a59cd9b14d1ee319fe012be7
                                            • Instruction Fuzzy Hash: 3B912671D0032ACFDB64CF68CC407EDBAB2BF48314F1485A9E949A7280DB749985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251B55F Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 455 251b55f-251b57f 456 251b581-251b58e call 2518ac0 455->456 457 251b5ab-251b5af 455->457 462 251b590 456->462 463 251b5a4 456->463 458 251b5b1-251b5bb 457->458 459 251b5c3-251b604 457->459 458->459 466 251b611-251b61f 459->466 467 251b606-251b60e 459->467 510 251b596 call 251b7f8 462->510 511 251b596 call 251b808 462->511 463->457 469 251b621-251b626 466->469 470 251b643-251b645 466->470 467->466 468 251b59c-251b59e 468->463 473 251b6e0-251b7a0 468->473 471 251b631 469->471 472 251b628-251b62f call 251af54 469->472 474 251b648-251b64f 470->474 476 251b633-251b641 471->476 472->476 505 251b7a2-251b7a5 473->505 506 251b7a8-251b7d3 GetModuleHandleW 473->506 477 251b651-251b659 474->477 478 251b65c-251b663 474->478 476->474 477->478 480 251b670-251b679 call 251af64 478->480 481 251b665-251b66d 478->481 486 251b686-251b68b 480->486 487 251b67b-251b683 480->487 481->480 489 251b6a9-251b6b6 486->489 490 251b68d-251b694 486->490 487->486 496 251b6d9-251b6df 489->496 497 251b6b8-251b6d6 489->497 490->489 491 251b696-251b6a6 call 251af74 call 251af84 490->491 491->489 497->496 505->506 507 251b7d5-251b7db 506->507 508 251b7dc-251b7f0 506->508 507->508 510->468 511->468
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0251B7C6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 21879f759524c089acc3c6a5058be496ddcd61a1365550e20e78982f8321d298
                                            • Instruction ID: 12b64e9b9ab17edc82c3f8ac9f78af169d1fdc54abf219b80eff52ad64c7f8af
                                            • Opcode Fuzzy Hash: 21879f759524c089acc3c6a5058be496ddcd61a1365550e20e78982f8321d298
                                            • Instruction Fuzzy Hash: 75813670A00B458FE724DF69D15479ABBF2FF88308F148A2DD08AD7A50D774E949CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 512 251590c-251598c 513 251598f-25159d9 CreateActCtxA 512->513 515 25159e2-2515a3c 513->515 516 25159db-25159e1 513->516 523 2515a4b-2515a4f 515->523 524 2515a3e-2515a41 515->524 516->515 525 2515a51-2515a5d 523->525 526 2515a60 523->526 524->523 525->526 528 2515a61 526->528 528->528
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 025159C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 07951e4451bb5e80520ab5aded47b00c20fda61cbfa5d4ac109e40634a70a98c
                                            • Instruction ID: 38207588a42b4ff3260d6f86a541ee88c8c7612f2542e0508f9296bcae6c823a
                                            • Opcode Fuzzy Hash: 07951e4451bb5e80520ab5aded47b00c20fda61cbfa5d4ac109e40634a70a98c
                                            • Instruction Fuzzy Hash: E641E470C00719CFDB14CFA9C8847DEBBB5BF89304F2480AAD448AB255D775694ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 025144E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 529 25144e4-25159d9 CreateActCtxA 533 25159e2-2515a3c 529->533 534 25159db-25159e1 529->534 541 2515a4b-2515a4f 533->541 542 2515a3e-2515a41 533->542 534->533 543 2515a51-2515a5d 541->543 544 2515a60 541->544 542->541 543->544 546 2515a61 544->546 546->546
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 025159C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: c0ba7525833e722124780f6bd3564331e6aed23eafe4aaaaee6dda61883b1d3c
                                            • Instruction ID: d5fac9c2cadceb0f30078742d041377a009cb7364d1f21375236c82f43ebafa5
                                            • Opcode Fuzzy Hash: c0ba7525833e722124780f6bd3564331e6aed23eafe4aaaaee6dda61883b1d3c
                                            • Instruction Fuzzy Hash: FB41D4B0C00719CFDB24CFA9C84479DBBF5BF89304F648069D408AB255DB756985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02515A84 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 547 2515a84-2515a90 548 2515a42-2515a47 547->548 549 2515a92-2515b14 547->549 552 2515a4b-2515a4f 548->552 553 2515a51-2515a5d 552->553 554 2515a60 552->554 553->554 556 2515a61 554->556 556->556
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3da57b4c1f6ca76fe6aad10b2d5d6ee7511a2ba9e9e52b1628e098af63066ac0
                                            • Instruction ID: ac4aa14346871018ce52df0413c0df9cd2d58d93a146b05998ecaa1afc1f1096
                                            • Opcode Fuzzy Hash: 3da57b4c1f6ca76fe6aad10b2d5d6ee7511a2ba9e9e52b1628e098af63066ac0
                                            • Instruction Fuzzy Hash: FD31CF70804749CFEB00CFA8C8547DDBBF1FF86308F944199D005AB295EB79998ACB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D051 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 557 6e2d051-6e2d0a6 559 6e2d0b6-6e2d0f5 WriteProcessMemory 557->559 560 6e2d0a8-6e2d0b4 557->560 562 6e2d0f7-6e2d0fd 559->562 563 6e2d0fe-6e2d12e 559->563 560->559 562->563
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06E2D0E8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: f2e90212c057f175c48416d1571444035f6f097988cf2e0a223c04852d3ac946
                                            • Instruction ID: 85401212a74c0ac1f2e37c53b797bef2cb0ab100bb4ca934e736831408501bf2
                                            • Opcode Fuzzy Hash: f2e90212c057f175c48416d1571444035f6f097988cf2e0a223c04852d3ac946
                                            • Instruction Fuzzy Hash: 912157B19003199FCB10CFA9C981BEEBBF1FF48314F10842AE959A7250D7789595CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02471968 Relevance: 1.6, APIs: 1, Instructions: 69windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 567 2471968-2471975 568 2471977-247199d 567->568 569 2471918-2471942 PostMessageW 567->569 572 24719a4-24719b7 568->572 573 247199f 568->573 570 2471944-247194a 569->570 571 247194b-247195f 569->571 570->571 576 24719b9-24719c6 572->576 577 24719c8-24719e3 572->577 573->572 576->577 580 24719e5 577->580 581 24719ed 577->581 580->581 582 24719ee 581->582 582->582
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02471935
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 67ee08d0cdd37f59b986c40dc31d4651d9c573dc63800b0e64cfdd0509c37334
                                            • Instruction ID: aaf26165fa5a2929f33ae4812ee4fc214e8f348763b13524ca07b2ce4a07c1fb
                                            • Opcode Fuzzy Hash: 67ee08d0cdd37f59b986c40dc31d4651d9c573dc63800b0e64cfdd0509c37334
                                            • Instruction Fuzzy Hash: FF21BEB29002189FDB20DF95D805BEEBBF4AF48314F14845AD499B7350C779A946CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 583 6e2d058-6e2d0a6 585 6e2d0b6-6e2d0f5 WriteProcessMemory 583->585 586 6e2d0a8-6e2d0b4 583->586 588 6e2d0f7-6e2d0fd 585->588 589 6e2d0fe-6e2d12e 585->589 586->585 588->589
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06E2D0E8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ef081bb662c879364ae8d7d1a78c3f8e82d3a9ba05b2bf495f5b287b001212a5
                                            • Instruction ID: 7b45d589fef96677787491898c702da9e1e0fbde2fcf1f1ab9f19884b6431ff2
                                            • Opcode Fuzzy Hash: ef081bb662c879364ae8d7d1a78c3f8e82d3a9ba05b2bf495f5b287b001212a5
                                            • Instruction Fuzzy Hash: 002169B19003599FCB10CFA9C881BDEBBF5FF48314F108429E958A7250D7789954CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251D0E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 593 251d0e0-251dad4 DuplicateHandle 595 251dad6-251dadc 593->595 596 251dadd-251dafa 593->596 595->596
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0251DA06,?,?,?,?,?), ref: 0251DAC7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 61e89941232b6ef2f7684ae3f174bd2370ec23ad047d88f2f101990e24573d0e
                                            • Instruction ID: b3e3ef8a53c18f32941869266a02fda97968234193a425bf570b00a563d76134
                                            • Opcode Fuzzy Hash: 61e89941232b6ef2f7684ae3f174bd2370ec23ad047d88f2f101990e24573d0e
                                            • Instruction Fuzzy Hash: BF21E3B5901318AFDB10CF9AD984AEEBFF4FB48324F14841AE958A7350D374A950CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D140 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 609 6e2d140-6e2d1d5 ReadProcessMemory 612 6e2d1d7-6e2d1dd 609->612 613 6e2d1de-6e2d20e 609->613 612->613
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06E2D1C8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: f500c449af035660d58453bd071fee426671a04abd241e2380491207d1ee1af5
                                            • Instruction ID: 1a52162f0db7a8a3f835b4551b033e2f2ad8e2f41a12dab9aca037a0ea57e929
                                            • Opcode Fuzzy Hash: f500c449af035660d58453bd071fee426671a04abd241e2380491207d1ee1af5
                                            • Instruction Fuzzy Hash: 822125B18003599FCB10CFA9C9816EEBBF1FF48310F10882AE558A7250C7349554CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2CA80 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 599 6e2ca80-6e2cad3 601 6e2cae3-6e2cb13 Wow64SetThreadContext 599->601 602 6e2cad5-6e2cae1 599->602 604 6e2cb15-6e2cb1b 601->604 605 6e2cb1c-6e2cb4c 601->605 602->601 604->605
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E2CB06
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: f9c2b66bab2f5f7536079e7ce302f85cad52779bd2e03da86de3ce94f30e62d8
                                            • Instruction ID: a15446f2090214c154aba47e9b4901a5df1242b820d226edfb02eb898aa642cc
                                            • Opcode Fuzzy Hash: f9c2b66bab2f5f7536079e7ce302f85cad52779bd2e03da86de3ce94f30e62d8
                                            • Instruction Fuzzy Hash: BC2168B1D003098FDB50DFA9C4857EEBBF5EF48324F24842AD459A7241CB789585CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2D148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06E2D1C8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: c5b561f64cd11e5b5ae045f4a8b93a3b63a60931bf3b833b95e7f6e4309f6b33
                                            • Instruction ID: 3bfded30dcb6e9355f058fbb4e6b05b6a83ef720bb7c6e4836fe44819831e46e
                                            • Opcode Fuzzy Hash: c5b561f64cd11e5b5ae045f4a8b93a3b63a60931bf3b833b95e7f6e4309f6b33
                                            • Instruction Fuzzy Hash: 092128B19003599FCB10DFAAC841AEEFBF5FF48310F108429E558A7250C7349554CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2CA88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E2CB06
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 7f7b5db695cb0e57e830ea761c9f5ef0b578859d122ccba3ce3c16f56a853c76
                                            • Instruction ID: 746f9acb93fbe2c6a2bf6bf9257ca11697df84edeac9ac938f04f3e81fa2a02c
                                            • Opcode Fuzzy Hash: 7f7b5db695cb0e57e830ea761c9f5ef0b578859d122ccba3ce3c16f56a853c76
                                            • Instruction Fuzzy Hash: 2A2129B1D003198FDB50DFAAC4857EEBBF5EF48324F148429D459A7241C7789984CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2C9D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: a366bc56a7a7fbd5c271a430f0f97b802390b8650b75fdfe248ea1ed8031eef8
                                            • Instruction ID: adff104635d19e2314474d077024c79afb09d4e7a3b544cf3391d5942c1ff52d
                                            • Opcode Fuzzy Hash: a366bc56a7a7fbd5c271a430f0f97b802390b8650b75fdfe248ea1ed8031eef8
                                            • Instruction Fuzzy Hash: 362157B1D003498FCB50CFA9C8457EEFBF5EF48328F20845AD459A7250CB346985CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251AFB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0251B841,00000800,00000000,00000000), ref: 0251BA52
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 710c994c232f9b48016cc2384932b30db753d64dac567508358b0bd6eb405435
                                            • Instruction ID: ba086f1282ce0ec54832d07ee0615ed4c27a89c54c1edd6a05d32ac690af9381
                                            • Opcode Fuzzy Hash: 710c994c232f9b48016cc2384932b30db753d64dac567508358b0bd6eb405435
                                            • Instruction Fuzzy Hash: 391112B69003089FDB20CF9AC844ADEFBF4FB48324F10842AE519A7250C375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2CF91 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06E2D006
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 6a9caa5a848dffcff7cad82424072742b8dae9346f29cab54cc32454c14b0c17
                                            • Instruction ID: 9e18cdc131f06aa7f8d2950e8cdcee08ada7ff4126cdd0ec47b0bf04aa1d4c04
                                            • Opcode Fuzzy Hash: 6a9caa5a848dffcff7cad82424072742b8dae9346f29cab54cc32454c14b0c17
                                            • Instruction Fuzzy Hash: D11189B68003098FCB10DFA9C805BDEBBF1AF48320F208819E559A7250C7359590CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2CF98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06E2D006
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 1a24201869520b34b2aef97288b97224ac64b8c60f6ebea6195b4a594fceb943
                                            • Instruction ID: 1992a9f1bdce61c842a2f93ed3e9957875e482974d61eb4cea7c188e1df183cc
                                            • Opcode Fuzzy Hash: 1a24201869520b34b2aef97288b97224ac64b8c60f6ebea6195b4a594fceb943
                                            • Instruction Fuzzy Hash: C81156729002499FCB10DFAAC844ADEBFF6EF88324F108419E559A7260C775A554CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251B9E1 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0251B841,00000800,00000000,00000000), ref: 0251BA52
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 9220ddcd64504a82543da867192e53478b50bcfaf1b123e1d67bb57260965a19
                                            • Instruction ID: 739810cee83aa07fdfcf8db7c1c8465d6c6be20e7ea3032a30a76a76b627b537
                                            • Opcode Fuzzy Hash: 9220ddcd64504a82543da867192e53478b50bcfaf1b123e1d67bb57260965a19
                                            • Instruction Fuzzy Hash: 3311F3B6D00249CFDB10CF9AC544ADEFBF4FB88314F14842AE559A7650C375A545CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2C9D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 90e16125e79bdf77d9f0e03a2c65f234a6e0f7ab811ca748310b2bb5a36e8530
                                            • Instruction ID: 20ed2b7cb398d22cda8175734860fb0d75be2b5e24714fb35e702afd776f1c32
                                            • Opcode Fuzzy Hash: 90e16125e79bdf77d9f0e03a2c65f234a6e0f7ab811ca748310b2bb5a36e8530
                                            • Instruction Fuzzy Hash: 76113AB1D003598FCB10DFAAC4457DEFBF5EB88324F208419D559A7250C775A584CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251B760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0251B7C6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 6dabe3faaed6877cba5f06f0070fd85e7d9c049b3cd70c2d38cfb605467502e9
                                            • Instruction ID: 6638319c18c5e38c13ced7d6df6a566cfae3ee73fa50075afba6db3d3d0b21b2
                                            • Opcode Fuzzy Hash: 6dabe3faaed6877cba5f06f0070fd85e7d9c049b3cd70c2d38cfb605467502e9
                                            • Instruction Fuzzy Hash: 4F1110B6D003498FDB10CF9AC444ADEFBF8AF88328F10842AD458B7610C375A545CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02471164 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02471935
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: eceddd92fa2adb4cafe095099ebacaebe20b3c08ca95356814da82dd13698e4f
                                            • Instruction ID: 6457a2ed0b585d6e32853c9bd80a1300827ab86bcefaf62a55bce91ec04aac99
                                            • Opcode Fuzzy Hash: eceddd92fa2adb4cafe095099ebacaebe20b3c08ca95356814da82dd13698e4f
                                            • Instruction Fuzzy Hash: 251106B5900348DFDB10DF9AC445BDFBBF8EB49324F10845AE558A7210C375A984CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 024718D0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 02471935
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: b82470c58fbc88c95494b15782b576670c200d3a37a7ecea22a1764c7d42b395
                                            • Instruction ID: 42c9d47fce4bf6ba1b28ddd1b267384530dc77a155f3348e293991d0eecb7bff
                                            • Opcode Fuzzy Hash: b82470c58fbc88c95494b15782b576670c200d3a37a7ecea22a1764c7d42b395
                                            • Instruction Fuzzy Hash: FC1103B5900349CFCB10CF99C585BDEFBF8EB08324F24885AE959A7210C378A594CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007CD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1714691868.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e8da3406d780a1dca2f1394ad623f878b4b1420f686f95207aa1e53b052301b
                                            • Instruction ID: 3e54bb86537d02d8c5b959f475182c5ab41f94fe12a9e7071a4d505d0ecce9e7
                                            • Opcode Fuzzy Hash: 7e8da3406d780a1dca2f1394ad623f878b4b1420f686f95207aa1e53b052301b
                                            • Instruction Fuzzy Hash: BA21D071604204DFCB24DF18D9C4F26BBA5EB88314F20C57DD84A4B296C33ADC87CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007CD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1714691868.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf08ed31cf57a77760c882f59440bb3c7335c68ea1b0c0f87d97a82296bffb3d
                                            • Instruction ID: 0e474fda36d3f0a849c4b4c1b2f49b440f9273a59d76bcb39189a13405fe7e8e
                                            • Opcode Fuzzy Hash: cf08ed31cf57a77760c882f59440bb3c7335c68ea1b0c0f87d97a82296bffb3d
                                            • Instruction Fuzzy Hash: 2321F2B1504204EFDB25DF14D9C4F26BBA5FB88314F24C67DE8494B296C33ADC46CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007CD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1714691868.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: 0049c0cc9a90065747447f96cf608d98403b0006f53a3be759710ebfd9de0c7f
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 60118B76504280DFDB16CF14D9C4B15BBA1FB84324F24C6AED8494B696C33AD84ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007CD017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1714691868.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7cd000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: a30ae305594a42210599a7e4da668619d645c45d681d7457ad87a8a60e5f2847
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 4A119D75504284DFDB25CF18D5C4B16FFA2FB88314F24C6AED8494B656C33AD84ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 06E23810 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T+-q$[V~*$[V~*$]\`
                                            • API String ID: 0-1849991408
                                            • Opcode ID: a1668af460335b5effe703ec4f987cb8d6fe982c8358df026642ccfbae0b542d
                                            • Instruction ID: 1dd8a91cc28ea58d92d7be62da90f99843761ba49d93f1d9807eae50903fec22
                                            • Opcode Fuzzy Hash: a1668af460335b5effe703ec4f987cb8d6fe982c8358df026642ccfbae0b542d
                                            • Instruction Fuzzy Hash: F4B1D670E1561A9FDB48CFAAD9808DEFBB2BF89300B14E52AD416EB258D7349901CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E23800 Relevance: 4.0, Strings: 3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: T+-q$[V~*$]\`
                                            • API String ID: 0-3978741314
                                            • Opcode ID: f4cfe27bb142df3d0c2e385684c0afa3f7e3d4b774cd42ae988198ecbf8ed49e
                                            • Instruction ID: 0f6f534c64a6cee81eacb3965074a110c7541b901d59453f96022010375a7ff7
                                            • Opcode Fuzzy Hash: f4cfe27bb142df3d0c2e385684c0afa3f7e3d4b774cd42ae988198ecbf8ed49e
                                            • Instruction Fuzzy Hash: 1BB10770E1521A9FDB48CFAAD9808DEFBF3BF89300B14E52AD416EB259D73499018F54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2A528 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60cdb336a676eebfc14a00c926a9b9bd1105fec9044b2baaa2e6dad3d5faee72
                                            • Instruction ID: bb49ddf02467cf885cf57b6dc5bd3f19ba950967010b7a6b543c69881cf9fdc8
                                            • Opcode Fuzzy Hash: 60cdb336a676eebfc14a00c926a9b9bd1105fec9044b2baaa2e6dad3d5faee72
                                            • Instruction Fuzzy Hash: D8E10D74E012198FCB14DFA9D5809AEFBF2FF89304F249169D414AB35AD731A942CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2A0F0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b10a8d9f1557bf0fb299eeecf1f81b5665eaa33ea904f702a4b42e3f47dee0a
                                            • Instruction ID: 0aa10759606ad74151201a07534f5e6f962148e6e7cf270d81aa84a31c598741
                                            • Opcode Fuzzy Hash: 0b10a8d9f1557bf0fb299eeecf1f81b5665eaa33ea904f702a4b42e3f47dee0a
                                            • Instruction Fuzzy Hash: 13E11A74E012198FCB14DFA9D5809AEFBB2FF89304F249169E414AB356D731AD42CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2C160 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b02061859143a3a9e5848282b860ac37bba767c350ec254168453464518fcf15
                                            • Instruction ID: 076fba6fcf2c746eb59d48b61fd1bd0dc0677efc5ab3e536d99f6f47e823d9af
                                            • Opcode Fuzzy Hash: b02061859143a3a9e5848282b860ac37bba767c350ec254168453464518fcf15
                                            • Instruction Fuzzy Hash: 79E10C74E012198FDB54DFA9D5809AEFBF2FF89304F249169E414AB356DB30A942CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2CB60 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b30500cc35ba4eb6ddfab0b276ca15cb8d63cea814f5b6b062fafc2a1bf91f6d
                                            • Instruction ID: a78058d5671279584eddb5d37d115dc9002eab2c4e8263dc4f38238009128dab
                                            • Opcode Fuzzy Hash: b30500cc35ba4eb6ddfab0b276ca15cb8d63cea814f5b6b062fafc2a1bf91f6d
                                            • Instruction Fuzzy Hash: D3E11974E012198FDB54DFA9D5809AEFBF2FF89304F249169E414AB356D730A942CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2A960 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 583090f90a748eef63bf49afc10b7aa458518dc25276365ea3c9a374fda4d42a
                                            • Instruction ID: 3cb41268cd188921d42d42282074ff177ca8e4e922ede22ff57380035afa54b9
                                            • Opcode Fuzzy Hash: 583090f90a748eef63bf49afc10b7aa458518dc25276365ea3c9a374fda4d42a
                                            • Instruction Fuzzy Hash: 5BE10974E012198FDB14DFA9D5809AEFBF2FF89304F249169E414AB35AD730A942CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E22117 Relevance: .3, Instructions: 272COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8233484cfe3899d7b2c4a76fda8d5b337eca6d93cb361a02c80f3a1a9b91dbf7
                                            • Instruction ID: 3c80e3ec6eac58215af8548840b6d8d64e4c0cfb4254fb5f7037d2f711c487b5
                                            • Opcode Fuzzy Hash: 8233484cfe3899d7b2c4a76fda8d5b337eca6d93cb361a02c80f3a1a9b91dbf7
                                            • Instruction Fuzzy Hash: 74D1163192075ACECB11EB64E950ADDB771FF95300F10879AE1097B225EF706AC9CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E22141 Relevance: .3, Instructions: 270COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2190ca05178d480d934192d075583e5fe357e9cd533521b599c884ebbf7f9e2c
                                            • Instruction ID: bdb2583d15d8a7d87151d9463f8c7278014f9730c99d91728e604a38dff5eff6
                                            • Opcode Fuzzy Hash: 2190ca05178d480d934192d075583e5fe357e9cd533521b599c884ebbf7f9e2c
                                            • Instruction Fuzzy Hash: 5CD1073192075ACACB11EB64D950A9DF772FF95300F10C79AE4097B225EFB06AC9CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0251E3B4 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715688417.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2510000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e5845c7b1ed043b47947b61aab90d06f246410dd1ecffd889f4bf2ee5019fc6
                                            • Instruction ID: 046711ff3d1a6ece763d5e807615fb1939136deda6502ed3e615f6601254ba3b
                                            • Opcode Fuzzy Hash: 2e5845c7b1ed043b47947b61aab90d06f246410dd1ecffd889f4bf2ee5019fc6
                                            • Instruction Fuzzy Hash: ACA18E32E003169FDF09DFB4C84059EBBB2FF88304B15456AE806AB265DB75E956CF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E22150 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38a095b440a3415e08956116389fa6620abfa6fd3947a71e268c0767cb98a355
                                            • Instruction ID: ced76e27dd972bfc9ab389830d8f38f8bf8ae47a28c25cb18ff817c250b1e817
                                            • Opcode Fuzzy Hash: 38a095b440a3415e08956116389fa6620abfa6fd3947a71e268c0767cb98a355
                                            • Instruction Fuzzy Hash: BFD1F73192075ACACB11EB64D950A9DF772FF95300F10C79AE4097B225EF706AC9CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06E2C151 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1720209829.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6e20000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3379bc45713cf914db3cc04490724598d3ab03252d392eb464bc2d08f95b7372
                                            • Instruction ID: f5ed3b7d681a64056e3fdf8ad3b5d9eb4817d3938de8d9b0f464d009c595824e
                                            • Opcode Fuzzy Hash: 3379bc45713cf914db3cc04490724598d3ab03252d392eb464bc2d08f95b7372
                                            • Instruction Fuzzy Hash: 6D514EB4E0121A8FCB54CFA9D5805AEFBF2BF89304F24D169D418B7216DB309942CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 024702F8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1715632772.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2470000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfc52e60b4fb5cc254e0c21196d525849f5f0c783df4bc198b82a8bd77c4cbbc
                                            • Instruction ID: 0b9960abc7de70624307975757f483664523f584443ba6226627368f0e7d868f
                                            • Opcode Fuzzy Hash: cfc52e60b4fb5cc254e0c21196d525849f5f0c783df4bc198b82a8bd77c4cbbc
                                            • Instruction Fuzzy Hash: 2E21BA71E066189BEB28CF6B98043DEBAF7AFC9300F04D0BAD41CA6254DB740986CE51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:12.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:78
                                            Total number of Limit Nodes:8
                                            execution_graph 21643 130d660 DuplicateHandle 21644 130d6f6 21643->21644 21663 130dd40 21664 130dd6e 21663->21664 21666 130dd97 21664->21666 21668 130de3f 21664->21668 21669 130d100 GetFocus 21664->21669 21667 130de3a KiUserCallbackDispatcher 21666->21667 21666->21668 21667->21668 21669->21666 21645 6764d90 21646 6764db9 21645->21646 21649 6763a6c 21646->21649 21650 6765008 DnsQuery_A 21649->21650 21652 6765142 21650->21652 21653 130d418 21654 130d45e GetCurrentProcess 21653->21654 21656 130d4b0 GetCurrentThread 21654->21656 21659 130d4a9 21654->21659 21657 130d4e6 21656->21657 21658 130d4ed GetCurrentProcess 21656->21658 21657->21658 21662 130d523 21658->21662 21659->21656 21660 130d54b GetCurrentThreadId 21661 130d57c 21660->21661 21662->21660 21670 1306e48 21671 1306e56 21670->21671 21673 1306a34 21670->21673 21674 1306a3f 21673->21674 21677 1306a84 21674->21677 21676 1306f7d 21676->21671 21678 1306a8f 21677->21678 21681 1306ab4 21678->21681 21680 130705a 21680->21676 21682 1306abf 21681->21682 21685 1306ae4 21682->21685 21684 130714d 21684->21680 21686 1306aef 21685->21686 21688 13083b3 21686->21688 21691 130ac58 21686->21691 21687 13083f1 21687->21684 21688->21687 21695 130cd40 21688->21695 21700 130ac90 21691->21700 21703 130ac80 21691->21703 21692 130ac6e 21692->21688 21696 130cd71 21695->21696 21697 130cd95 21696->21697 21727 130cf00 21696->21727 21731 130ceef 21696->21731 21697->21687 21707 130ad88 21700->21707 21701 130ac9f 21701->21692 21704 130ac90 21703->21704 21706 130ad88 2 API calls 21704->21706 21705 130ac9f 21705->21692 21706->21705 21708 130ad99 21707->21708 21709 130adbc 21707->21709 21708->21709 21715 130b020 21708->21715 21719 130b010 21708->21719 21709->21701 21710 130afc0 GetModuleHandleW 21712 130afed 21710->21712 21711 130adb4 21711->21709 21711->21710 21712->21701 21716 130b034 21715->21716 21718 130b059 21716->21718 21723 130a148 21716->21723 21718->21711 21720 130b034 21719->21720 21721 130b059 21720->21721 21722 130a148 LoadLibraryExW 21720->21722 21721->21711 21722->21721 21724 130b200 LoadLibraryExW 21723->21724 21726 130b279 21724->21726 21726->21718 21728 130cf0d 21727->21728 21729 130cf47 21728->21729 21735 130b760 21728->21735 21729->21697 21732 130cf00 21731->21732 21733 130b760 2 API calls 21732->21733 21734 130cf47 21732->21734 21733->21734 21734->21697 21736 130b76b 21735->21736 21738 130dc58 21736->21738 21739 130d064 21736->21739 21740 130d06f 21739->21740 21741 1306ae4 2 API calls 21740->21741 21742 130dcc7 21741->21742 21742->21738

                                            Executed Functions

                                            Function 0130D408 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 526 130d408-130d4a7 GetCurrentProcess 531 130d4b0-130d4e4 GetCurrentThread 526->531 532 130d4a9-130d4af 526->532 533 130d4e6-130d4ec 531->533 534 130d4ed-130d521 GetCurrentProcess 531->534 532->531 533->534 536 130d523-130d529 534->536 537 130d52a-130d545 call 130d5e7 534->537 536->537 539 130d54b-130d57a GetCurrentThreadId 537->539 541 130d583-130d5e5 539->541 542 130d57c-130d582 539->542 542->541
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0130D496
                                            • GetCurrentThread.KERNEL32 ref: 0130D4D3
                                            • GetCurrentProcess.KERNEL32 ref: 0130D510
                                            • GetCurrentThreadId.KERNEL32 ref: 0130D569
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: e6374bb4d461ea18f65f1d4875ce02f3e57062fb27d3553384ef0e08ed128ce7
                                            • Instruction ID: 7aa396ebf531b23d6f25da0f3d341154c6d3e4fb11142f5b87aea3ecb49e8574
                                            • Opcode Fuzzy Hash: e6374bb4d461ea18f65f1d4875ce02f3e57062fb27d3553384ef0e08ed128ce7
                                            • Instruction Fuzzy Hash: A25164B09013498FDB04DFA9D548BDEBFF1AF48318F248069D059A72A0DB35A988CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 549 130d418-130d4a7 GetCurrentProcess 553 130d4b0-130d4e4 GetCurrentThread 549->553 554 130d4a9-130d4af 549->554 555 130d4e6-130d4ec 553->555 556 130d4ed-130d521 GetCurrentProcess 553->556 554->553 555->556 558 130d523-130d529 556->558 559 130d52a-130d545 call 130d5e7 556->559 558->559 561 130d54b-130d57a GetCurrentThreadId 559->561 563 130d583-130d5e5 561->563 564 130d57c-130d582 561->564 564->563
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0130D496
                                            • GetCurrentThread.KERNEL32 ref: 0130D4D3
                                            • GetCurrentProcess.KERNEL32 ref: 0130D510
                                            • GetCurrentThreadId.KERNEL32 ref: 0130D569
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 6b2d0b960d3b63f8ad8c303070ee80689402b23395d16174d50166bc8b840c4c
                                            • Instruction ID: 8969b5ff9537f3cec02acb5ce0bbe66b2a0041f55839dbd725bea7a9358107ed
                                            • Opcode Fuzzy Hash: 6b2d0b960d3b63f8ad8c303070ee80689402b23395d16174d50166bc8b840c4c
                                            • Instruction Fuzzy Hash: A85143B0D012098FDB14DFAAD548BDEBBF1EF48318F248459E419A73A0DB35A984CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06764F50 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 745 6764f50-6764f6c 747 6764f82-6764fe4 745->747 748 6764f6e-6764f7f 745->748 758 6764ff2-6764ffd 747->758 759 6764fc1-6764ff0 747->759 763 6765074-676507b 758->763 764 6764fff-6765071 758->764 766 67650b4-67650e7 763->766 767 676507d-6765087 763->767 764->763 776 67650ef-6765140 DnsQuery_A 766->776 767->766 769 6765089-676508b 767->769 771 67650ae-67650b1 769->771 772 676508d-6765097 769->772 771->766 774 676509b-67650aa 772->774 775 6765099 772->775 774->774 777 67650ac 774->777 775->774 778 6765142-6765148 776->778 779 6765149-6765196 776->779 777->771 778->779 784 67651a6-67651aa 779->784 785 6765198-676519c 779->785 786 67651ac-67651af 784->786 787 67651b9-67651bd 784->787 785->784 788 676519e 785->788 786->787 789 67651ce 787->789 790 67651bf-67651cb 787->790 788->784 792 67651cf 789->792 790->789 792->792
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3257567771.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_6760000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1aab9209fab7edfa815abfb46aa24fb81578da9386c4c71c3d6dfe67c153bbfe
                                            • Instruction ID: 9ed745d6634c552500f5487f5d6351cd7363d3c2af232e208ad1639b90d3ae89
                                            • Opcode Fuzzy Hash: 1aab9209fab7edfa815abfb46aa24fb81578da9386c4c71c3d6dfe67c153bbfe
                                            • Instruction Fuzzy Hash: B5817B71D00209DFEB54DFA9C8806EEBBF5FF48314F24852AE815AB254DB709945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130AD88 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 793 130ad88-130ad97 794 130adc3-130adc7 793->794 795 130ad99-130ada6 call 130a0e4 793->795 797 130adc9-130add3 794->797 798 130addb-130ae1c 794->798 800 130ada8 795->800 801 130adbc 795->801 797->798 804 130ae29-130ae37 798->804 805 130ae1e-130ae26 798->805 849 130adae call 130b020 800->849 850 130adae call 130b010 800->850 801->794 806 130ae39-130ae3e 804->806 807 130ae5b-130ae5d 804->807 805->804 809 130ae40-130ae47 call 130a0f0 806->809 810 130ae49 806->810 812 130ae60-130ae67 807->812 808 130adb4-130adb6 808->801 811 130aef8-130afb8 808->811 814 130ae4b-130ae59 809->814 810->814 844 130afc0-130afeb GetModuleHandleW 811->844 845 130afba-130afbd 811->845 815 130ae74-130ae7b 812->815 816 130ae69-130ae71 812->816 814->812 818 130ae88-130ae91 call 130a100 815->818 819 130ae7d-130ae85 815->819 816->815 824 130ae93-130ae9b 818->824 825 130ae9e-130aea3 818->825 819->818 824->825 826 130aec1-130aece 825->826 827 130aea5-130aeac 825->827 834 130aed0-130aeee 826->834 835 130aef1-130aef7 826->835 827->826 829 130aeae-130aebe call 130a110 call 130a120 827->829 829->826 834->835 846 130aff4-130b008 844->846 847 130afed-130aff3 844->847 845->844 847->846 849->808 850->808
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFDE
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 07e38f941c9a3425cad39c508ece701db6be9475404d8b7e683e2371ff68dac1
                                            • Instruction ID: 3f514796492c9fecdb7af1af61585e170e61f5378eb9d7f2d0fb20a6aded241c
                                            • Opcode Fuzzy Hash: 07e38f941c9a3425cad39c508ece701db6be9475404d8b7e683e2371ff68dac1
                                            • Instruction Fuzzy Hash: F7713670A00B058FDB25DF29E56475ABBF5FF88308F008A2DD49AD7A90D775E845CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06763A65 Relevance: 1.6, APIs: 1, Instructions: 142networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 851 6763a65-676507b 855 67650b4-67650e7 851->855 856 676507d-6765087 851->856 863 67650ef-6765140 DnsQuery_A 855->863 856->855 857 6765089-676508b 856->857 859 67650ae-67650b1 857->859 860 676508d-6765097 857->860 859->855 861 676509b-67650aa 860->861 862 6765099 860->862 861->861 864 67650ac 861->864 862->861 865 6765142-6765148 863->865 866 6765149-6765196 863->866 864->859 865->866 871 67651a6-67651aa 866->871 872 6765198-676519c 866->872 873 67651ac-67651af 871->873 874 67651b9-67651bd 871->874 872->871 875 676519e 872->875 873->874 876 67651ce 874->876 877 67651bf-67651cb 874->877 875->871 879 67651cf 876->879 877->876 879->879
                                            APIs
                                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06765130
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3257567771.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_6760000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Query_
                                            • String ID:
                                            • API String ID: 428220571-0
                                            • Opcode ID: c8b5fdf45c2ab1d76ab9a1d88c66a459c637330bae8564a5c9fe79625a6c0907
                                            • Instruction ID: b4b3a2a9d3f86580a4aa798183fb31b860fd4da4393797712851fe7de68b17d7
                                            • Opcode Fuzzy Hash: c8b5fdf45c2ab1d76ab9a1d88c66a459c637330bae8564a5c9fe79625a6c0907
                                            • Instruction Fuzzy Hash: DD5125B1D0030D9FEB54CFA9C8807DEBBB6BF48314F24852AE814AB250DB75A945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06763A6C Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 880 6763a6c-676507b 884 67650b4-6765140 DnsQuery_A 880->884 885 676507d-6765087 880->885 894 6765142-6765148 884->894 895 6765149-6765196 884->895 885->884 886 6765089-676508b 885->886 888 67650ae-67650b1 886->888 889 676508d-6765097 886->889 888->884 890 676509b-67650aa 889->890 891 6765099 889->891 890->890 893 67650ac 890->893 891->890 893->888 894->895 900 67651a6-67651aa 895->900 901 6765198-676519c 895->901 902 67651ac-67651af 900->902 903 67651b9-67651bd 900->903 901->900 904 676519e 901->904 902->903 905 67651ce 903->905 906 67651bf-67651cb 903->906 904->900 908 67651cf 905->908 906->905 908->908
                                            APIs
                                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06765130
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3257567771.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_6760000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: Query_
                                            • String ID:
                                            • API String ID: 428220571-0
                                            • Opcode ID: ade4f074e836e5d93c34cd8856537ebabae5338dad60eea5daba6633c883361d
                                            • Instruction ID: 556b33c27e8bea14c6577fc4f9d4e8a282b9501a131b1dc487bd84296befa540
                                            • Opcode Fuzzy Hash: ade4f074e836e5d93c34cd8856537ebabae5338dad60eea5daba6633c883361d
                                            • Instruction Fuzzy Hash: 5B5115B1D0021D9FEB54CFA9C8807DEBBB5FF48314F24852AE814AB250DB75A945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130D658 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 909 130d658-130d6f4 DuplicateHandle 910 130d6f6-130d6fc 909->910 911 130d6fd-130d71a 909->911 910->911
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0130D6E7
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c66bf8eef18a4e5a9db3004dd23d1c7789cafd8badde878b0b1b410469cc3d18
                                            • Instruction ID: c877d7abf3be5291054d5bf073ca23c16877da860c68c913135cb03d5e71e392
                                            • Opcode Fuzzy Hash: c66bf8eef18a4e5a9db3004dd23d1c7789cafd8badde878b0b1b410469cc3d18
                                            • Instruction Fuzzy Hash: D421F2B5900208EFDB10CFAAD984ADEBBF4FF48320F14841AE918A7350C374A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 914 130d660-130d6f4 DuplicateHandle 915 130d6f6-130d6fc 914->915 916 130d6fd-130d71a 914->916 915->916
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0130D6E7
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 3022bdbadd01602ab42bdac49ec2333bfdf848bff88fa5558eabcad164b87532
                                            • Instruction ID: 68c6469c18864adf44e6e02a278c340f30388427c0e9141b459fde5324be8ed9
                                            • Opcode Fuzzy Hash: 3022bdbadd01602ab42bdac49ec2333bfdf848bff88fa5558eabcad164b87532
                                            • Instruction Fuzzy Hash: 7621E2B59002089FDB10CFAAD984ADEBFF8EB48320F14841AE918A7350D374A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130B1F8 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 919 130b1f8-130b240 921 130b242-130b245 919->921 922 130b248-130b277 LoadLibraryExW 919->922 921->922 923 130b280-130b29d 922->923 924 130b279-130b27f 922->924 924->923
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0130B059,00000800,00000000,00000000), ref: 0130B26A
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 52389c4394ad1802c312523e3ef482e2a760d7da467f6c95644516fe343b553d
                                            • Instruction ID: db0d23e4c177135e6af37786a935f98a58c49f8cc089e6af566937038156c1da
                                            • Opcode Fuzzy Hash: 52389c4394ad1802c312523e3ef482e2a760d7da467f6c95644516fe343b553d
                                            • Instruction Fuzzy Hash: 982144BAC002089FDB10CFAAC444ADEFFF8EF49320F10842AD558AB250C375A545CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130A148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 927 130a148-130b240 929 130b242-130b245 927->929 930 130b248-130b277 LoadLibraryExW 927->930 929->930 931 130b280-130b29d 930->931 932 130b279-130b27f 930->932 932->931
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0130B059,00000800,00000000,00000000), ref: 0130B26A
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: a6d4322b0d8ee3688025a872739296044c9d596f132a28384ef89b3152ac7842
                                            • Instruction ID: cd94d51dacb22eac6a00754dd582ba914a12908442ad401fbd0c3b66a5e877d5
                                            • Opcode Fuzzy Hash: a6d4322b0d8ee3688025a872739296044c9d596f132a28384ef89b3152ac7842
                                            • Instruction Fuzzy Hash: D71112BAD003088FDB10CFAAC844ADEFBF8EB48324F10842AE559A7650C375A544CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0130AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 935 130af78-130afb8 936 130afc0-130afeb GetModuleHandleW 935->936 937 130afba-130afbd 935->937 938 130aff4-130b008 936->938 939 130afed-130aff3 936->939 937->936 939->938
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFDE
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3241202339.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_1300000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: e734cc3b0393fbaad4bcb1aa87b44d9233b50a2aa13e56cbcf163a48f9113bb8
                                            • Instruction ID: 64503a014777ade9e40ac246a783a526e659357cd9c14620b311bb3eb7ce67a2
                                            • Opcode Fuzzy Hash: e734cc3b0393fbaad4bcb1aa87b44d9233b50a2aa13e56cbcf163a48f9113bb8
                                            • Instruction Fuzzy Hash: 0D1110B5C003498FDB10CF9AD844ADEFBF4AF88328F10842AD428A7250C379A549CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0119D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3240844397.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_119d000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7d98f9e9f999b4f9b274bcf183b3208ee54b74a3aa10b0b3f9a2bc80e85d611
                                            • Instruction ID: e201e309e2e98525161e0d15373673401e9baad9d83315d193cabfc2d2484ee4
                                            • Opcode Fuzzy Hash: d7d98f9e9f999b4f9b274bcf183b3208ee54b74a3aa10b0b3f9a2bc80e85d611
                                            • Instruction Fuzzy Hash: 40212271604200DFDF19DF68E984B26BFA5FB84354F28C66DD80A4B256C33AD447CA62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0119D017 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.3240844397.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_119d000_PROOF OF PAYMENT.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: 6d49d46d96e98291ab71d5a70480b3c590aa48b8e22a8d6e14f665a78751b652
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 1E119D75504280DFDF16CF58E5C4B16FFA2FB84314F28C6AAD8494B656C33AD44ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:11.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:302
                                            Total number of Limit Nodes:16
                                            execution_graph 37628 4c87838 37629 4c87866 37628->37629 37632 4c87540 37629->37632 37631 4c878d5 37633 4c8754b 37632->37633 37635 4c896c5 37633->37635 37636 4c876e0 37633->37636 37635->37631 37637 4c876eb 37636->37637 37639 26173e0 2 API calls 37637->37639 37641 2617a70 37637->37641 37638 4c89c64 37638->37635 37639->37638 37642 2617ab3 37641->37642 37643 2617410 2 API calls 37642->37643 37644 2617b25 37643->37644 37644->37638 37258 261b760 37259 261b7a2 37258->37259 37260 261b7a8 GetModuleHandleW 37258->37260 37259->37260 37261 261b7d5 37260->37261 37364 904d756 37365 904d8f0 37364->37365 37366 904d760 37364->37366 37370 904f4c6 37366->37370 37387 904f468 37366->37387 37403 904f458 37366->37403 37371 904f454 37370->37371 37372 904f4c9 37370->37372 37379 904f4a6 37371->37379 37419 d020006 37371->37419 37425 d0202e1 37371->37425 37432 d020460 37371->37432 37437 d020040 37371->37437 37443 d02083e 37371->37443 37448 d0206d4 37371->37448 37452 d020314 37371->37452 37458 d0208d4 37371->37458 37462 d020ad6 37371->37462 37466 d0208ad 37371->37466 37471 d0201ac 37371->37471 37477 d0203c8 37371->37477 37481 d0205cb 37371->37481 37372->37365 37379->37365 37388 904f482 37387->37388 37389 d020040 2 API calls 37388->37389 37390 d020460 2 API calls 37388->37390 37391 d0202e1 4 API calls 37388->37391 37392 d020006 2 API calls 37388->37392 37393 d0205cb 2 API calls 37388->37393 37394 d0203c8 2 API calls 37388->37394 37395 904f4a6 37388->37395 37396 d0201ac 2 API calls 37388->37396 37397 d0208ad 2 API calls 37388->37397 37398 d020ad6 2 API calls 37388->37398 37399 d0208d4 2 API calls 37388->37399 37400 d020314 2 API calls 37388->37400 37401 d0206d4 2 API calls 37388->37401 37402 d02083e 2 API calls 37388->37402 37389->37395 37390->37395 37391->37395 37392->37395 37393->37395 37394->37395 37395->37365 37396->37395 37397->37395 37398->37395 37399->37395 37400->37395 37401->37395 37402->37395 37404 904f482 37403->37404 37405 d020040 2 API calls 37404->37405 37406 d020460 2 API calls 37404->37406 37407 d0202e1 4 API calls 37404->37407 37408 d020006 2 API calls 37404->37408 37409 d0205cb 2 API calls 37404->37409 37410 d0203c8 2 API calls 37404->37410 37411 904f4a6 37404->37411 37412 d0201ac 2 API calls 37404->37412 37413 d0208ad 2 API calls 37404->37413 37414 d020ad6 2 API calls 37404->37414 37415 d0208d4 2 API calls 37404->37415 37416 d020314 2 API calls 37404->37416 37417 d0206d4 2 API calls 37404->37417 37418 d02083e 2 API calls 37404->37418 37405->37411 37406->37411 37407->37411 37408->37411 37409->37411 37410->37411 37411->37365 37412->37411 37413->37411 37414->37411 37415->37411 37416->37411 37417->37411 37418->37411 37421 d020073 37419->37421 37420 d02019b 37420->37379 37421->37420 37486 904d2e0 37421->37486 37490 904d2d5 37421->37490 37494 904cf91 37425->37494 37498 904cf98 37425->37498 37426 d0202ff 37502 904d051 37426->37502 37506 904d058 37426->37506 37427 d020c4e 37433 d020466 37432->37433 37435 904d051 WriteProcessMemory 37433->37435 37436 904d058 WriteProcessMemory 37433->37436 37434 d020c4e 37435->37434 37436->37434 37439 d020073 37437->37439 37438 d02019b 37438->37379 37439->37438 37441 904d2d5 CreateProcessA 37439->37441 37442 904d2e0 CreateProcessA 37439->37442 37440 d02024a 37440->37379 37441->37440 37442->37440 37510 904d140 37443->37510 37514 904d148 37443->37514 37444 d0205b2 37444->37443 37445 d020b62 37444->37445 37518 904ca80 37448->37518 37522 904ca88 37448->37522 37449 d020275 37449->37379 37453 d020319 37452->37453 37454 d020275 37453->37454 37456 904c9d0 ResumeThread 37453->37456 37526 904c9d8 37453->37526 37454->37379 37455 d020b94 37455->37455 37456->37455 37460 904d051 WriteProcessMemory 37458->37460 37461 904d058 WriteProcessMemory 37458->37461 37459 d020902 37460->37459 37461->37459 37464 904ca80 Wow64SetThreadContext 37462->37464 37465 904ca88 Wow64SetThreadContext 37462->37465 37463 d020af0 37464->37463 37465->37463 37467 d0205f4 37466->37467 37469 904c9d0 ResumeThread 37467->37469 37470 904c9d8 ResumeThread 37467->37470 37468 d020b94 37469->37468 37470->37468 37473 d0200e8 37471->37473 37472 d02019b 37472->37379 37473->37472 37475 904d2d5 CreateProcessA 37473->37475 37476 904d2e0 CreateProcessA 37473->37476 37474 d02024a 37474->37379 37475->37474 37476->37474 37479 904d051 WriteProcessMemory 37477->37479 37480 904d058 WriteProcessMemory 37477->37480 37478 d020384 37479->37478 37480->37478 37482 d0205f4 37481->37482 37484 904c9d0 ResumeThread 37482->37484 37485 904c9d8 ResumeThread 37482->37485 37483 d020b94 37484->37483 37485->37483 37487 904d369 CreateProcessA 37486->37487 37489 904d52b 37487->37489 37491 904d2e0 CreateProcessA 37490->37491 37493 904d52b 37491->37493 37495 904cfd8 VirtualAllocEx 37494->37495 37497 904d015 37495->37497 37497->37426 37499 904cfd8 VirtualAllocEx 37498->37499 37501 904d015 37499->37501 37501->37426 37503 904d0a0 WriteProcessMemory 37502->37503 37505 904d0f7 37503->37505 37505->37427 37507 904d0a0 WriteProcessMemory 37506->37507 37509 904d0f7 37507->37509 37509->37427 37511 904d148 ReadProcessMemory 37510->37511 37513 904d1d7 37511->37513 37513->37444 37515 904d193 ReadProcessMemory 37514->37515 37517 904d1d7 37515->37517 37517->37444 37519 904ca88 Wow64SetThreadContext 37518->37519 37521 904cb15 37519->37521 37521->37449 37523 904cacd Wow64SetThreadContext 37522->37523 37525 904cb15 37523->37525 37525->37449 37527 904ca18 ResumeThread 37526->37527 37529 904ca49 37527->37529 37529->37455 37566 bed01c 37567 bed034 37566->37567 37568 bed08e 37567->37568 37573 4c82388 37567->37573 37577 4c82377 37567->37577 37581 4c80fac 37567->37581 37590 4c830e8 37567->37590 37574 4c823ae 37573->37574 37575 4c80fac CallWindowProcW 37574->37575 37576 4c823cf 37575->37576 37576->37568 37578 4c823ae 37577->37578 37579 4c80fac CallWindowProcW 37578->37579 37580 4c823cf 37579->37580 37580->37568 37582 4c80fb7 37581->37582 37583 4c83159 37582->37583 37585 4c83149 37582->37585 37615 4c810d4 37583->37615 37599 4c8334c 37585->37599 37605 4c83280 37585->37605 37610 4c8327f 37585->37610 37586 4c83157 37593 4c83125 37590->37593 37591 4c83159 37592 4c810d4 CallWindowProcW 37591->37592 37595 4c83157 37592->37595 37593->37591 37594 4c83149 37593->37594 37596 4c8334c CallWindowProcW 37594->37596 37597 4c8327f CallWindowProcW 37594->37597 37598 4c83280 CallWindowProcW 37594->37598 37596->37595 37597->37595 37598->37595 37600 4c8330a 37599->37600 37601 4c8335a 37599->37601 37619 4c83338 37600->37619 37622 4c83334 37600->37622 37602 4c83320 37602->37586 37607 4c83294 37605->37607 37606 4c83320 37606->37586 37608 4c83338 CallWindowProcW 37607->37608 37609 4c83334 CallWindowProcW 37607->37609 37608->37606 37609->37606 37612 4c83294 37610->37612 37611 4c83320 37611->37586 37613 4c83338 CallWindowProcW 37612->37613 37614 4c83334 CallWindowProcW 37612->37614 37613->37611 37614->37611 37616 4c810df 37615->37616 37617 4c847e9 37616->37617 37618 4c8483a CallWindowProcW 37616->37618 37617->37586 37618->37617 37620 4c83349 37619->37620 37625 4c8477e 37619->37625 37620->37602 37623 4c83349 37622->37623 37624 4c8477e CallWindowProcW 37622->37624 37623->37602 37624->37623 37626 4c810d4 CallWindowProcW 37625->37626 37627 4c8478a 37626->37627 37627->37620 37530 9049a12 37531 90499a0 37530->37531 37532 9049910 37531->37532 37534 904c588 ResumeThread 37531->37534 37535 904c598 ResumeThread 37531->37535 37533 9049e9a 37534->37533 37535->37533 37262 2614668 37263 261467a 37262->37263 37264 2614686 37263->37264 37268 2614778 37263->37268 37273 2614204 37264->37273 37266 26146a5 37269 261479d 37268->37269 37277 2614879 37269->37277 37281 2614888 37269->37281 37274 261420f 37273->37274 37289 2615e78 37274->37289 37276 26177cc 37276->37266 37279 26148af 37277->37279 37278 261498c 37278->37278 37279->37278 37285 26144e4 37279->37285 37283 26148af 37281->37283 37282 261498c 37282->37282 37283->37282 37284 26144e4 CreateActCtxA 37283->37284 37284->37282 37286 2615918 CreateActCtxA 37285->37286 37288 26159db 37286->37288 37290 2615e83 37289->37290 37293 26173b0 37290->37293 37292 261794d 37292->37276 37294 26173bb 37293->37294 37297 26173e0 37294->37297 37296 2617a22 37296->37292 37298 26173eb 37297->37298 37301 2617410 37298->37301 37300 2617b25 37300->37296 37302 261741b 37301->37302 37303 2618dd1 37302->37303 37305 261d530 37302->37305 37303->37300 37306 261d551 37305->37306 37307 261d575 37306->37307 37309 261d6e0 37306->37309 37307->37303 37310 261d6ed 37309->37310 37311 261d727 37310->37311 37313 261d018 37310->37313 37311->37307 37315 261d023 37313->37315 37314 261e038 37315->37314 37317 261d144 37315->37317 37318 261d14f 37317->37318 37319 2617410 2 API calls 37318->37319 37320 261e0a7 37319->37320 37324 4c80040 37320->37324 37330 4c8003b 37320->37330 37321 261e0e1 37321->37314 37326 4c80071 37324->37326 37327 4c80171 37324->37327 37325 4c8007d 37325->37321 37326->37325 37328 4c81290 CreateWindowExW CreateWindowExW 37326->37328 37329 4c812a0 CreateWindowExW CreateWindowExW 37326->37329 37327->37321 37328->37327 37329->37327 37332 4c80071 37330->37332 37333 4c80171 37330->37333 37331 4c8007d 37331->37321 37332->37331 37334 4c81290 CreateWindowExW CreateWindowExW 37332->37334 37335 4c812a0 CreateWindowExW CreateWindowExW 37332->37335 37333->37321 37334->37333 37335->37333 37536 261b478 37537 261b487 37536->37537 37539 261b55f 37536->37539 37540 261b581 37539->37540 37541 261b59c 37539->37541 37540->37541 37544 261b7f8 37540->37544 37548 261b808 37540->37548 37541->37537 37545 261b81c 37544->37545 37546 261b841 37545->37546 37552 261afb0 37545->37552 37546->37541 37549 261b81c 37548->37549 37550 261afb0 LoadLibraryExW 37549->37550 37551 261b841 37549->37551 37550->37551 37551->37541 37553 261b9e8 LoadLibraryExW 37552->37553 37555 261ba61 37553->37555 37555->37546 37556 261d7f8 37557 261d83e 37556->37557 37560 261d9d8 37557->37560 37563 261d0e0 37560->37563 37564 261da40 DuplicateHandle 37563->37564 37565 261d92b 37564->37565 37336 d020ec8 37337 d021053 37336->37337 37338 d020eee 37336->37338 37338->37337 37341 d021550 PostMessageW 37338->37341 37343 d021548 37338->37343 37342 d0215bc 37341->37342 37342->37338 37344 d021550 PostMessageW 37343->37344 37345 d0215bc 37344->37345 37345->37338 37346 9049ac9 37347 9049ad9 37346->37347 37351 904c588 37347->37351 37355 904c598 37347->37355 37348 9049910 37352 904c598 37351->37352 37353 904c639 37352->37353 37359 904c9d0 37352->37359 37353->37348 37356 904c5cb 37355->37356 37357 904c639 37356->37357 37358 904c9d0 ResumeThread 37356->37358 37357->37348 37358->37357 37360 904c9d6 ResumeThread 37359->37360 37361 904c99d 37359->37361 37363 904ca49 37360->37363 37361->37353 37363->37353

                                            Executed Functions

                                            Function 0904D2D5 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 823 904d2d5-904d375 826 904d377-904d381 823->826 827 904d3ae-904d3ce 823->827 826->827 828 904d383-904d385 826->828 832 904d407-904d436 827->832 833 904d3d0-904d3da 827->833 830 904d387-904d391 828->830 831 904d3a8-904d3ab 828->831 834 904d395-904d3a4 830->834 835 904d393 830->835 831->827 843 904d46f-904d529 CreateProcessA 832->843 844 904d438-904d442 832->844 833->832 836 904d3dc-904d3de 833->836 834->834 837 904d3a6 834->837 835->834 838 904d3e0-904d3ea 836->838 839 904d401-904d404 836->839 837->831 841 904d3ec 838->841 842 904d3ee-904d3fd 838->842 839->832 841->842 842->842 845 904d3ff 842->845 855 904d532-904d5b8 843->855 856 904d52b-904d531 843->856 844->843 846 904d444-904d446 844->846 845->839 848 904d448-904d452 846->848 849 904d469-904d46c 846->849 850 904d454 848->850 851 904d456-904d465 848->851 849->843 850->851 851->851 852 904d467 851->852 852->849 866 904d5c8-904d5cc 855->866 867 904d5ba-904d5be 855->867 856->855 868 904d5dc-904d5e0 866->868 869 904d5ce-904d5d2 866->869 867->866 870 904d5c0 867->870 872 904d5f0-904d5f4 868->872 873 904d5e2-904d5e6 868->873 869->868 871 904d5d4 869->871 870->866 871->868 875 904d606-904d60d 872->875 876 904d5f6-904d5fc 872->876 873->872 874 904d5e8 873->874 874->872 877 904d624 875->877 878 904d60f-904d61e 875->878 876->875 879 904d625 877->879 878->877 879->879
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0904D516
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 1ef445f493e11b8807adcbe42ac67541017bbc81f2c0fc3ae6bb32c4c411c315
                                            • Instruction ID: d7adfb0254c90ccb274ee2a7d460382bf939091fa726e040fe456ed6b04b1252
                                            • Opcode Fuzzy Hash: 1ef445f493e11b8807adcbe42ac67541017bbc81f2c0fc3ae6bb32c4c411c315
                                            • Instruction Fuzzy Hash: 18A13AB1D00219DFDB24DFA8C8417EDBBF2AF48314F1485A9E849E7290DB74A985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904D2E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 881 904d2e0-904d375 883 904d377-904d381 881->883 884 904d3ae-904d3ce 881->884 883->884 885 904d383-904d385 883->885 889 904d407-904d436 884->889 890 904d3d0-904d3da 884->890 887 904d387-904d391 885->887 888 904d3a8-904d3ab 885->888 891 904d395-904d3a4 887->891 892 904d393 887->892 888->884 900 904d46f-904d529 CreateProcessA 889->900 901 904d438-904d442 889->901 890->889 893 904d3dc-904d3de 890->893 891->891 894 904d3a6 891->894 892->891 895 904d3e0-904d3ea 893->895 896 904d401-904d404 893->896 894->888 898 904d3ec 895->898 899 904d3ee-904d3fd 895->899 896->889 898->899 899->899 902 904d3ff 899->902 912 904d532-904d5b8 900->912 913 904d52b-904d531 900->913 901->900 903 904d444-904d446 901->903 902->896 905 904d448-904d452 903->905 906 904d469-904d46c 903->906 907 904d454 905->907 908 904d456-904d465 905->908 906->900 907->908 908->908 909 904d467 908->909 909->906 923 904d5c8-904d5cc 912->923 924 904d5ba-904d5be 912->924 913->912 925 904d5dc-904d5e0 923->925 926 904d5ce-904d5d2 923->926 924->923 927 904d5c0 924->927 929 904d5f0-904d5f4 925->929 930 904d5e2-904d5e6 925->930 926->925 928 904d5d4 926->928 927->923 928->925 932 904d606-904d60d 929->932 933 904d5f6-904d5fc 929->933 930->929 931 904d5e8 930->931 931->929 934 904d624 932->934 935 904d60f-904d61e 932->935 933->932 936 904d625 934->936 935->934 936->936
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0904D516
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 404dfe5b8832cb266fa3ccccc0438d0539e53d4a02b46a7dfd083520de036cda
                                            • Instruction ID: cee9f021bbd8625028a2d56dda2b4ab1696f1d5d9a452cb1f9bea54b6c5aaf46
                                            • Opcode Fuzzy Hash: 404dfe5b8832cb266fa3ccccc0438d0539e53d4a02b46a7dfd083520de036cda
                                            • Instruction Fuzzy Hash: 5F9139B1D002199FDF20DFA8C8417EDBBF2AF48314F1485A9E849E7290DB74A985CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04C821C4 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1327 4c821c4-4c821cd 1328 4c821cf-4c82236 1327->1328 1329 4c82191-4c82193 1327->1329 1332 4c82238-4c8223e 1328->1332 1333 4c82241-4c82248 1328->1333 1330 4c821b9-4c821c3 1329->1330 1331 4c82195-4c821b0 call 4c80f80 1329->1331 1330->1327 1337 4c821b5-4c821b6 1331->1337 1332->1333 1335 4c8224a-4c82250 1333->1335 1336 4c82253-4c8228b 1333->1336 1335->1336 1338 4c82293-4c822f2 CreateWindowExW 1336->1338 1339 4c822fb-4c82333 1338->1339 1340 4c822f4-4c822fa 1338->1340 1344 4c82340 1339->1344 1345 4c82335-4c82338 1339->1345 1340->1339 1346 4c82341 1344->1346 1345->1344 1346->1346
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C822E2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1817423611.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_4c80000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 5595b95f4d7a0cf933fcd5cab45bad340e4e3ce379617f6026addc57f8a6783e
                                            • Instruction ID: cf5a87218d2c1398509304119f06927b08320c95e3307b4672e698f964ad554b
                                            • Opcode Fuzzy Hash: 5595b95f4d7a0cf933fcd5cab45bad340e4e3ce379617f6026addc57f8a6783e
                                            • Instruction Fuzzy Hash: F75112B1C00249AFDF15CF99C984ADEBFB6FF48314F24816AE818AB220D770A945CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04C80F80 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1347 4c80f80-4c82236 1349 4c82238-4c8223e 1347->1349 1350 4c82241-4c82248 1347->1350 1349->1350 1351 4c8224a-4c82250 1350->1351 1352 4c82253-4c822f2 CreateWindowExW 1350->1352 1351->1352 1354 4c822fb-4c82333 1352->1354 1355 4c822f4-4c822fa 1352->1355 1359 4c82340 1354->1359 1360 4c82335-4c82338 1354->1360 1355->1354 1361 4c82341 1359->1361 1360->1359 1361->1361
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C822E2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1817423611.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_4c80000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 660cbbe21a9367843a239e6a238224f2070e6f7343009c0f13c0bb84af1b8aba
                                            • Instruction ID: f0a7a8318ea5b94d35c5ed5b28074884a3e97671f567292920b9dcb74edfabb1
                                            • Opcode Fuzzy Hash: 660cbbe21a9367843a239e6a238224f2070e6f7343009c0f13c0bb84af1b8aba
                                            • Instruction Fuzzy Hash: 5751CFB1D003499FDB14DF99C984ADEBBB6FF48314F24816EE818AB210D770A945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04C810D4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1362 4c810d4-4c847dc 1365 4c8488c-4c848ac call 4c80fac 1362->1365 1366 4c847e2-4c847e7 1362->1366 1373 4c848af-4c848bc 1365->1373 1368 4c847e9-4c84820 1366->1368 1369 4c8483a-4c84872 CallWindowProcW 1366->1369 1376 4c84829-4c84838 1368->1376 1377 4c84822-4c84828 1368->1377 1370 4c8487b-4c8488a 1369->1370 1371 4c84874-4c8487a 1369->1371 1370->1373 1371->1370 1376->1373 1377->1376
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C84861
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1817423611.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_4c80000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: b321e6c94a51287d32a659e5941fe612b600f356a46968cf7ba3cbb28c937ddf
                                            • Instruction ID: 0b8501275c65211b5657b47cda145156f740f8d6303c125f53d5e6c4b8727e52
                                            • Opcode Fuzzy Hash: b321e6c94a51287d32a659e5941fe612b600f356a46968cf7ba3cbb28c937ddf
                                            • Instruction Fuzzy Hash: E8414AB4A00349DFDB14DF59C488AAABBF6FB88318F14C45DD509AB321D374A840CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 026144E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1379 26144e4-26159d9 CreateActCtxA 1382 26159e2-2615a3c 1379->1382 1383 26159db-26159e1 1379->1383 1390 2615a4b-2615a4f 1382->1390 1391 2615a3e-2615a41 1382->1391 1383->1382 1392 2615a51-2615a5d 1390->1392 1393 2615a60 1390->1393 1391->1390 1392->1393 1395 2615a61 1393->1395 1395->1395
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 026159C9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 2a436223647bfecbcb3277131ba09a2028734f27a5b387e7d838b504e209cbe0
                                            • Instruction ID: a33cbe4a8152a1b2c9790a72b7e994d67c6601638a83a68529120dfd5d244e2b
                                            • Opcode Fuzzy Hash: 2a436223647bfecbcb3277131ba09a2028734f27a5b387e7d838b504e209cbe0
                                            • Instruction Fuzzy Hash: 1441F2B0C00719CBDB24CFA9C984BCDFBB5BF48304F6480AAD409AB255DB75694ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1396 261590c-26159d9 CreateActCtxA 1398 26159e2-2615a3c 1396->1398 1399 26159db-26159e1 1396->1399 1406 2615a4b-2615a4f 1398->1406 1407 2615a3e-2615a41 1398->1407 1399->1398 1408 2615a51-2615a5d 1406->1408 1409 2615a60 1406->1409 1407->1406 1408->1409 1411 2615a61 1409->1411 1411->1411
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 026159C9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: bca06b3ce901363310358bb4d0475b6c3ad0f375183d34480a193997ab02a9ed
                                            • Instruction ID: 4bad1ef713e68722317ad79968d2b8e74ff4526b84d7d89ab01a71008feb8458
                                            • Opcode Fuzzy Hash: bca06b3ce901363310358bb4d0475b6c3ad0f375183d34480a193997ab02a9ed
                                            • Instruction Fuzzy Hash: F341E3B1C00619CFDB24CFA9C9847CEFBB5BF48304F24809AD409AB255DB75694ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261B00A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 059b3f7ac62acaea7bf05bdce0e043696a0294eaf6422060246c9a9b4f4c9143
                                            • Instruction ID: 6ccabd23e7912b28a9b5857be63555a1a7fcd93e497d2ffc1b828fdf931b7b29
                                            • Opcode Fuzzy Hash: 059b3f7ac62acaea7bf05bdce0e043696a0294eaf6422060246c9a9b4f4c9143
                                            • Instruction Fuzzy Hash: E621A0B2D05358DFDB14CFAAC444AEEFBF4EB68318F18806AD555A7210C374A645CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904D051 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0904D0E8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 0e44512ae5519f75b4fe2c9c65ba7b831be8c3a9bc1fc8947f522896e81a731f
                                            • Instruction ID: 104eeaf14ba2b6d113fd513be812ad415c3ace9dbf976cd777c54fb0286313c2
                                            • Opcode Fuzzy Hash: 0e44512ae5519f75b4fe2c9c65ba7b831be8c3a9bc1fc8947f522896e81a731f
                                            • Instruction Fuzzy Hash: B92137B1D002599FCB10CFA9C945BEEBBF1FF48314F10842AE959A7250C778A955CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904D058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0904D0E8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 285df807bf8e3758eda1a22ba9030e3ff24986e46cbe4f7a1050b294e8f0c171
                                            • Instruction ID: 3d943335c328dd027cee38fba79f923799c518b6a8d2f59aee69b0fc8a3754fb
                                            • Opcode Fuzzy Hash: 285df807bf8e3758eda1a22ba9030e3ff24986e46cbe4f7a1050b294e8f0c171
                                            • Instruction Fuzzy Hash: 712136B19003599FCF10CFA9C985BDEBBF5FF48310F10882AE958A7250C778A945CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904CA80 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0904CB06
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 2d38f7a55005b33f6ee0f23a5cae94e65fa316f9d2f5cbf0e99e294c9e6b8500
                                            • Instruction ID: 8bac58abca3eb2295c30f16080986da6f9a26b57f55cc3e57013c9599080b9bb
                                            • Opcode Fuzzy Hash: 2d38f7a55005b33f6ee0f23a5cae94e65fa316f9d2f5cbf0e99e294c9e6b8500
                                            • Instruction Fuzzy Hash: EC2159B19003188FDB10DFAAC4857EEBFF4EF49314F148429D458A7241CB78A985CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904D140 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0904D1C8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 82ab0227cb35310264707a38d183f46bd5d6902132e0823eecfd0e2f41253e4f
                                            • Instruction ID: 6ef1309cf1be38832644c3877fccc745164812d7293bc46ccaafb21ea2496b1f
                                            • Opcode Fuzzy Hash: 82ab0227cb35310264707a38d183f46bd5d6902132e0823eecfd0e2f41253e4f
                                            • Instruction Fuzzy Hash: 48213BB18002599FCB10CFA9C885AEEBBF5FF48310F108429E558A7250C774A544CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261D0E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0261DA06,?,?,?,?,?), ref: 0261DAC7
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: f5909bc001b7ae0f647e0e50c19068fdaa5a88f9eb91482963691d1527396874
                                            • Instruction ID: 28dadf7bc3bd1f3fc5d70b8732dc6d564c3d8ceab2bb8d248906427c94f73f8d
                                            • Opcode Fuzzy Hash: f5909bc001b7ae0f647e0e50c19068fdaa5a88f9eb91482963691d1527396874
                                            • Instruction Fuzzy Hash: 3121E4B5900258EFDB10CF9AD984ADEBFF4FB48320F14845AE918A7350D374A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904C9D0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 20eb72463c7b2ece52859dadcad4101ecbd9e83c21f618aeb943f98920abc38f
                                            • Instruction ID: 3ad139c0d0168d7f2b36af886b21161e96685673055b77d277678114342fac00
                                            • Opcode Fuzzy Hash: 20eb72463c7b2ece52859dadcad4101ecbd9e83c21f618aeb943f98920abc38f
                                            • Instruction Fuzzy Hash: 0E2198B1D002489FCB10DFAAC4447EEFBF4EF88324F248469D958AB250CB34A941CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904CA88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0904CB06
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 392e50f0d96dfc22ab02e83ae70c90fb2e4a77d803ef0cdfff635679387ef0a6
                                            • Instruction ID: 22af1f05fc8f5fbb17af70997e75d1da9dda4d94f78b9452f2e4a711aadcd59b
                                            • Opcode Fuzzy Hash: 392e50f0d96dfc22ab02e83ae70c90fb2e4a77d803ef0cdfff635679387ef0a6
                                            • Instruction Fuzzy Hash: C42118B19002198FDB10DFAAC585BEEBBF5EF48324F14C429D459A7241CB789944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904D148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0904D1C8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 85f029148a32fa12184630a98bedb805544a8840b6d2d7f177aec589cbe9429c
                                            • Instruction ID: 4b2386d787deb5f8302865b18dcc1fec9e2045ec530e00a1cee2acc5ea39309e
                                            • Opcode Fuzzy Hash: 85f029148a32fa12184630a98bedb805544a8840b6d2d7f177aec589cbe9429c
                                            • Instruction Fuzzy Hash: 942109B19003599FCB10DFAAC985AEEFBF5FF48310F10842AE959A7250C774A944CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261AFB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0261B841,00000800,00000000,00000000), ref: 0261BA52
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 3b1fada95f29fc8130d181b9a5ffaa4d4636d73e8d02ac2c360cde5c27e3efa7
                                            • Instruction ID: 19e3d99f9581d9a7ca01a0d574e482efe9f2eb930c270a0bd711e10ca63efea4
                                            • Opcode Fuzzy Hash: 3b1fada95f29fc8130d181b9a5ffaa4d4636d73e8d02ac2c360cde5c27e3efa7
                                            • Instruction Fuzzy Hash: A21123B6D003489FDB20CF9AC944ADEFBF4EB48314F14846AE519A7350C375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904CF91 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0904D006
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 23898c9d3c2e16086de91e53364e3b4161e92f95665ede1d9c5f5f87e625c0a9
                                            • Instruction ID: e6482c9f4d9b85ac71483ba6b1456a8f9c762dd7a4f0b61dcb62f33949df9476
                                            • Opcode Fuzzy Hash: 23898c9d3c2e16086de91e53364e3b4161e92f95665ede1d9c5f5f87e625c0a9
                                            • Instruction Fuzzy Hash: 741159B29002499FCB20DFA9D444BDEBFF1EF88310F148429E515A7250C735A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261B9E2 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0261B841,00000800,00000000,00000000), ref: 0261BA52
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: c78a2cfa3258ff8720fb50274cbdfc8d9a081ceb1541e6c111c00c49defe88f1
                                            • Instruction ID: 040dc294ccfa9f10f785e0fc56fa10bbe137f76d3c4b8f31aebf94fc5bf63afa
                                            • Opcode Fuzzy Hash: c78a2cfa3258ff8720fb50274cbdfc8d9a081ceb1541e6c111c00c49defe88f1
                                            • Instruction Fuzzy Hash: 401134B6D003489FCB10CF9AC544ADEFBF4EB48324F14842AD519A7350C375A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904CF98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0904D006
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 4d017725269481fd0a24a08ccaa376ef3545e80745c21c106d5b77145f85a7ba
                                            • Instruction ID: fdb5cab2ec0040ccafe349dd2ea37e888ef99b584d6cc548a4287a11e6ec915f
                                            • Opcode Fuzzy Hash: 4d017725269481fd0a24a08ccaa376ef3545e80745c21c106d5b77145f85a7ba
                                            • Instruction Fuzzy Hash: C61137B19002499FCB20DFAAC844BDEFFF5EF88320F108829E559A7250C775A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0D021548 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0D0215AD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1824468190.000000000D020000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_d020000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 4199f2ef53887e680ed970a8d9dab8b9a489ce1135efd9ce613e55c27c509a1e
                                            • Instruction ID: d5f2150079bbc27c39d7a0f8d94beba10bb45ae4af263cd6a9344c4a7f27a5f1
                                            • Opcode Fuzzy Hash: 4199f2ef53887e680ed970a8d9dab8b9a489ce1135efd9ce613e55c27c509a1e
                                            • Instruction Fuzzy Hash: 151125B5800358DFDB10CF9AC485BEEBBF8EB48320F10845AD458A7600C375A980CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0904C9D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1821347097.0000000009040000.00000040.00000800.00020000.00000000.sdmp, Offset: 09040000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_9040000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 6935b1a25a0752e477e21041655e5ab592a7b4d53e614066437586e4876f4019
                                            • Instruction ID: 95bae8cc60af1f5b86643e2ce74bd731434b246e0b82e9a90ef7cfdefde54635
                                            • Opcode Fuzzy Hash: 6935b1a25a0752e477e21041655e5ab592a7b4d53e614066437586e4876f4019
                                            • Instruction Fuzzy Hash: 3C1136B19002588FDB20DFAAC4457DEFBF4EB88324F208829D559A7250CB75A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0261B760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0261B7C6
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808762910.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_2610000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 826d4f807e19f292d9797ca6f69d68730f9b3df260121e2c11e297a6dce5b378
                                            • Instruction ID: 8778deec3bec3cc42aeeb1c7e7d40bad269a6dbef7a5c204e2a1605617faf013
                                            • Opcode Fuzzy Hash: 826d4f807e19f292d9797ca6f69d68730f9b3df260121e2c11e297a6dce5b378
                                            • Instruction Fuzzy Hash: F21110B5C002498FCB10CF9AD544ADEFBF8EF88324F14846AD418B7610C375A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0D021550 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0D0215AD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1824468190.000000000D020000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D020000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_d020000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 4560fd7c40eb447c497a051a9e9b3fdcce6f0572e4d5e4474e0c59604fb96ef2
                                            • Instruction ID: 09aa6e32c7703b9eaa821b02bc7c066a3c3cfb443e5a2b04369d5bcd25a381ae
                                            • Opcode Fuzzy Hash: 4560fd7c40eb447c497a051a9e9b3fdcce6f0572e4d5e4474e0c59604fb96ef2
                                            • Instruction Fuzzy Hash: 5D1112B5800358DFDB10DF9AC984BEEFBF8EB48320F10845AE558A7200C375A984CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BDD1FC Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1807974556.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bdd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abbea356f6bd9c992f46e6fe0d3796d19c15085a52dc4062d1f60ab8439e4525
                                            • Instruction ID: 274b523ad01d54460c1c93d0e5e7f3a80765e1bb14c1f8bc7b0ec26e34a5315b
                                            • Opcode Fuzzy Hash: abbea356f6bd9c992f46e6fe0d3796d19c15085a52dc4062d1f60ab8439e4525
                                            • Instruction Fuzzy Hash: A221FF72504200DFCB05DF14D9C4B2BFFA5FB88310F20C6AAE9890A356D336D816CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BDD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1807974556.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bdd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43c48cdf3736c38a829662127d916eb668c03b62c39be051ece2a2ae777dafde
                                            • Instruction ID: d44a6b553c54f09919ad8f9249512f4740c14d050d10c263503453e770525f6c
                                            • Opcode Fuzzy Hash: 43c48cdf3736c38a829662127d916eb668c03b62c39be051ece2a2ae777dafde
                                            • Instruction Fuzzy Hash: F7210371540240DFDB05DF14E9C0B2AFFA5FBA8318F20C5AAE8890B356D336D856CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BED01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808098004.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bed000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
                                            • Instruction ID: b7a09ac6b5dcb0f3567fbaa9a16fac67702bf0077cd66a8a86dbc9c0330cd85d
                                            • Opcode Fuzzy Hash: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
                                            • Instruction Fuzzy Hash: 9D21F271604280DFCB14DF15D9D4B26BBA5FB84314F28C5ADD80A4B297C3BAD847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BED1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808098004.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bed000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5694c768a0c0b2f29605a917a39abd36739b336edcd2da388e17b84baf08e6a
                                            • Instruction ID: 24719a23907471d39d0031b8c88379f44ff5bcf31ca38e8e3f0d443b158ff456
                                            • Opcode Fuzzy Hash: f5694c768a0c0b2f29605a917a39abd36739b336edcd2da388e17b84baf08e6a
                                            • Instruction Fuzzy Hash: 08212675604280EFDB05DF15DAC0B26BBE5FB84314F20C6ADEA094B296C3B6D846CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BED006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808098004.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bed000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
                                            • Instruction ID: bf970bc0bc59c2620b5907c30b3c387694d7af79bbb3c5306e72521d5cf4a353
                                            • Opcode Fuzzy Hash: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
                                            • Instruction Fuzzy Hash: A321A4755093C08FCB02CF20D594715BFB1EB45314F28C5EAD8498B297C33AD80ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BDD1F7 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1807974556.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bdd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                            • Instruction ID: 53e0e6f127618c34cfb269635c0d700b5dbb07dccf4b38aa78e7acff38ccf61a
                                            • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                            • Instruction Fuzzy Hash: 11219D76504240DFDB06CF50D9C4B56FFB2FB94314F24C6AADD490A656C33AD82ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BDD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1807974556.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bdd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: 99777a6515e7be2e8dfd2fcf2f5176c5d7703cb729a13285660dfceaf46ab1c9
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: 0111B176504280DFCB16CF14D5C4B16FFB1FBA4318F24C6AAD8490B656C336D85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BED1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.1808098004.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_bed000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: 3ac2c5cc9566303de87fc50d2e55ae12e70e8cb8bf9d3de55ee0631b4ea1d817
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 8211BB75504280DFCB02CF10C5C4B15BBA1FB84314F24C6AAD9494B296C37AD80ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:6.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:76
                                            Total number of Limit Nodes:5
                                            execution_graph 13806 111dd40 13807 111dd6e 13806->13807 13808 111de3a KiUserCallbackDispatcher 13807->13808 13809 111de3f 13807->13809 13808->13809 13810 111d418 13811 111d45e 13810->13811 13815 111d5e7 13811->13815 13819 111d5f8 13811->13819 13812 111d54b 13816 111d5f8 13815->13816 13822 111b770 13816->13822 13820 111b770 DuplicateHandle 13819->13820 13821 111d626 13820->13821 13821->13812 13823 111d660 DuplicateHandle 13822->13823 13824 111d626 13823->13824 13824->13812 13825 1116e48 13827 1116e56 13825->13827 13828 1116a34 13825->13828 13829 1116a3f 13828->13829 13832 1116a84 13829->13832 13831 1116f7d 13831->13827 13833 1116a8f 13832->13833 13836 1116ab4 13833->13836 13835 111705a 13835->13831 13837 1116abf 13836->13837 13840 1116ae4 13837->13840 13839 111714d 13839->13835 13841 1116aef 13840->13841 13843 11183b3 13841->13843 13847 111ac58 13841->13847 13842 11183f1 13842->13839 13843->13842 13851 111cd40 13843->13851 13856 111cd50 13843->13856 13861 111ac90 13847->13861 13864 111ac80 13847->13864 13848 111ac6e 13848->13843 13852 111cd50 13851->13852 13853 111cd95 13852->13853 13888 111cf00 13852->13888 13892 111ceef 13852->13892 13853->13842 13857 111cd71 13856->13857 13858 111cd95 13857->13858 13859 111cf00 2 API calls 13857->13859 13860 111ceef 2 API calls 13857->13860 13858->13842 13859->13858 13860->13858 13868 111ad88 13861->13868 13862 111ac9f 13862->13848 13865 111ac90 13864->13865 13867 111ad88 2 API calls 13865->13867 13866 111ac9f 13866->13848 13867->13866 13869 111ad99 13868->13869 13870 111adbc 13868->13870 13869->13870 13876 111b010 13869->13876 13880 111b020 13869->13880 13870->13862 13871 111adb4 13871->13870 13872 111afc0 GetModuleHandleW 13871->13872 13873 111afed 13872->13873 13873->13862 13877 111b034 13876->13877 13878 111b059 13877->13878 13884 111a148 13877->13884 13878->13871 13881 111b034 13880->13881 13882 111b059 13881->13882 13883 111a148 LoadLibraryExW 13881->13883 13882->13871 13883->13882 13885 111b200 LoadLibraryExW 13884->13885 13887 111b279 13885->13887 13887->13878 13889 111cf0d 13888->13889 13890 111cf47 13889->13890 13896 111b760 13889->13896 13890->13853 13893 111cf00 13892->13893 13894 111cf47 13893->13894 13895 111b760 2 API calls 13893->13895 13894->13853 13895->13894 13897 111b76b 13896->13897 13898 111dc58 13897->13898 13900 111d064 13897->13900 13901 111d06f 13900->13901 13902 1116ae4 2 API calls 13901->13902 13903 111dcc7 13902->13903 13903->13898

                                            Executed Functions

                                            Function 0111AD88 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 527 111ad88-111ad97 528 111adc3-111adc7 527->528 529 111ad99-111ada6 call 111a0e4 527->529 530 111adc9-111add3 528->530 531 111addb-111ae1c 528->531 536 111ada8 529->536 537 111adbc 529->537 530->531 538 111ae29-111ae37 531->538 539 111ae1e-111ae26 531->539 582 111adae call 111b010 536->582 583 111adae call 111b020 536->583 537->528 541 111ae39-111ae3e 538->541 542 111ae5b-111ae5d 538->542 539->538 540 111adb4-111adb6 540->537 543 111aef8-111afb8 540->543 545 111ae40-111ae47 call 111a0f0 541->545 546 111ae49 541->546 544 111ae60-111ae67 542->544 577 111afc0-111afeb GetModuleHandleW 543->577 578 111afba-111afbd 543->578 548 111ae74-111ae7b 544->548 549 111ae69-111ae71 544->549 547 111ae4b-111ae59 545->547 546->547 547->544 552 111ae88-111ae91 call 111a100 548->552 553 111ae7d-111ae85 548->553 549->548 558 111ae93-111ae9b 552->558 559 111ae9e-111aea3 552->559 553->552 558->559 560 111aec1-111aece 559->560 561 111aea5-111aeac 559->561 568 111aef1-111aef7 560->568 569 111aed0-111aeee 560->569 561->560 563 111aeae-111aebe call 111a110 call 111a120 561->563 563->560 569->568 579 111aff4-111b008 577->579 580 111afed-111aff3 577->580 578->577 580->579 582->540 583->540
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0111AFDE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: /
                                            • API String ID: 4139908857-2043925204
                                            • Opcode ID: 8aa11f3672bf7ecd602465107f2385387259a3aa5b0cf2fb49ad15f9b8cfee3e
                                            • Instruction ID: 67e126229bbb0e49aea5b75c6a2bca4244246094fa5460a1325eea6bbb62912b
                                            • Opcode Fuzzy Hash: 8aa11f3672bf7ecd602465107f2385387259a3aa5b0cf2fb49ad15f9b8cfee3e
                                            • Instruction Fuzzy Hash: 94713470A01B458FDB28DF29E54075ABBF6FF88304F008A2DD58AD7A54DB34E845CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0111B770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 584 111b770-111d6f4 DuplicateHandle 586 111d6f6-111d6fc 584->586 587 111d6fd-111d71a 584->587 586->587
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0111D626,?,?,?,?,?), ref: 0111D6E7
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c65877cf22353e19b87a6398d54334c67a550e93ffdbc667e33d8b8ef71dfab6
                                            • Instruction ID: c003b2c07cc1c8859ab01d63eb8d3c7e7fceb53b941f51cb5c28a09ded218155
                                            • Opcode Fuzzy Hash: c65877cf22353e19b87a6398d54334c67a550e93ffdbc667e33d8b8ef71dfab6
                                            • Instruction Fuzzy Hash: A42114B5900218DFDB10CF9AE584ADEFFF4EB48310F14842AE918A3310C374A940CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0111D658 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 590 111d658-111d65a 591 111d660-111d6f4 DuplicateHandle 590->591 592 111d6f6-111d6fc 591->592 593 111d6fd-111d71a 591->593 592->593
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0111D626,?,?,?,?,?), ref: 0111D6E7
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 2c18922133edc6b311d61ebd5900dc9caeafe63218dca634095046fb39c25d64
                                            • Instruction ID: af20259d723642d7dc1cdf77dba9c2115390d56ced387e96c5aaad7cc0b8d5a9
                                            • Opcode Fuzzy Hash: 2c18922133edc6b311d61ebd5900dc9caeafe63218dca634095046fb39c25d64
                                            • Instruction Fuzzy Hash: BA2116B5900248DFDB10CFAAE584ADEFFF4EB48320F14841AE958A3350C379A940CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0111A148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 596 111a148-111b240 598 111b242-111b245 596->598 599 111b248-111b277 LoadLibraryExW 596->599 598->599 600 111b280-111b29d 599->600 601 111b279-111b27f 599->601 601->600
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0111B059,00000800,00000000,00000000), ref: 0111B26A
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 29d8243c68b5fd995ef262f390b0e7521e66bfa2943b1760a20c3afcac050e09
                                            • Instruction ID: db2a10be74169509b5e04c1937375028b54479cc7f8225c10f9ac36c78cf933c
                                            • Opcode Fuzzy Hash: 29d8243c68b5fd995ef262f390b0e7521e66bfa2943b1760a20c3afcac050e09
                                            • Instruction Fuzzy Hash: 5E1112B6904308DFDB14CF9AD444ADEFBF5EB88310F14842AE959A7210C379A545CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0111B1F8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 604 111b1f8-111b240 606 111b242-111b245 604->606 607 111b248-111b277 LoadLibraryExW 604->607 606->607 608 111b280-111b29d 607->608 609 111b279-111b27f 607->609 609->608
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0111B059,00000800,00000000,00000000), ref: 0111B26A
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: dd3b5c11fd44294a77bf81282637fe9c1d91651ef8c4b9f4c5983d64542a9ccd
                                            • Instruction ID: a6411220b4edde57ca9be47d35f1867d998c94cb0a4bc20b514d253975c442ac
                                            • Opcode Fuzzy Hash: dd3b5c11fd44294a77bf81282637fe9c1d91651ef8c4b9f4c5983d64542a9ccd
                                            • Instruction Fuzzy Hash: 841123B6C043489FDB14CF9AD444ADEFBF4EB88310F10842AE959A7210C379A545CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0111AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 612 111af78-111afb8 613 111afc0-111afeb GetModuleHandleW 612->613 614 111afba-111afbd 612->614 615 111aff4-111b008 613->615 616 111afed-111aff3 613->616 614->613 616->615
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0111AFDE
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846533075.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_1110000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 828bb756a71e95b80905339b0399c0b733ce197daff8a29dbc004cc8fcda35d2
                                            • Instruction ID: 371d2a77b7b26facbb54da9e36772d4cbb0802dc6c2317332520d4ced89ec30e
                                            • Opcode Fuzzy Hash: 828bb756a71e95b80905339b0399c0b733ce197daff8a29dbc004cc8fcda35d2
                                            • Instruction Fuzzy Hash: 281110B6C002498FDB14CF9AD444ADEFBF4EF88324F10842AD569A7254C379A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010CD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846384137.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_10cd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccfff496c2fd2d59e1056d58d19f8d75be1a14d223bfffe1ffd66d8f8ddcf0b3
                                            • Instruction ID: 48a538a30b3d43ed41920839f9f4c171d21a275ca964aee91d0eae593d4f9e72
                                            • Opcode Fuzzy Hash: ccfff496c2fd2d59e1056d58d19f8d75be1a14d223bfffe1ffd66d8f8ddcf0b3
                                            • Instruction Fuzzy Hash: 2D210071604200DFCB15DF98D984B2ABBA5EB84B14F30C5BDE98A4B256C33AD447CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010CD006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.1846384137.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_15_2_10cd000_hXGmUcb.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4142cc12e9d7e50139fd5abbe81a4d497d385cc556a12dba391739ad1f5f66bf
                                            • Instruction ID: 8ffdac30e10e75307bd13f033a9a1e93c8bd15f1656f3c3fbf4cb70b061cdb56
                                            • Opcode Fuzzy Hash: 4142cc12e9d7e50139fd5abbe81a4d497d385cc556a12dba391739ad1f5f66bf
                                            • Instruction Fuzzy Hash: 352195755083809FCB03CF58D994715BFB1EB46314F24C5EAD8898F2A7C33A9806CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:10.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:184
                                            Total number of Limit Nodes:14
                                            execution_graph 26111 6c6d756 26112 6c6d8f0 26111->26112 26113 6c6d760 26111->26113 26115 6c6f468 26113->26115 26116 6c6f482 26115->26116 26126 6c6f4a6 26116->26126 26132 8a205a3 26116->26132 26137 8a2083e 26116->26137 26142 8a20314 26116->26142 26148 8a206d4 26116->26148 26152 8a208d4 26116->26152 26156 8a20ad6 26116->26156 26160 8a20011 26116->26160 26166 8a208ad 26116->26166 26171 8a201ac 26116->26171 26177 8a203c8 26116->26177 26181 8a205cb 26116->26181 26186 8a2044a 26116->26186 26192 8a202e1 26116->26192 26199 8a20040 26116->26199 26126->26112 26133 8a205b1 26132->26133 26205 6c6c9d0 26133->26205 26209 6c6c9d8 26133->26209 26134 8a20b94 26213 6c6d147 26137->26213 26217 6c6d148 26137->26217 26138 8a205b2 26138->26137 26139 8a20b62 26138->26139 26143 8a20319 26142->26143 26145 8a20275 26143->26145 26146 6c6c9d0 ResumeThread 26143->26146 26147 6c6c9d8 ResumeThread 26143->26147 26144 8a20b94 26145->26126 26146->26144 26147->26144 26221 6c6ca80 26148->26221 26225 6c6ca88 26148->26225 26149 8a20275 26149->26126 26229 6c6d051 26152->26229 26233 6c6d058 26152->26233 26153 8a20902 26158 6c6ca80 Wow64SetThreadContext 26156->26158 26159 6c6ca88 Wow64SetThreadContext 26156->26159 26157 8a20af0 26158->26157 26159->26157 26162 8a20040 26160->26162 26161 8a2019b 26161->26126 26162->26161 26237 6c6d2e0 26162->26237 26241 6c6d2d9 26162->26241 26167 8a205f4 26166->26167 26169 6c6c9d0 ResumeThread 26167->26169 26170 6c6c9d8 ResumeThread 26167->26170 26168 8a20b94 26169->26168 26170->26168 26173 8a200e8 26171->26173 26172 8a2019b 26172->26126 26173->26172 26175 6c6d2e0 CreateProcessA 26173->26175 26176 6c6d2d9 CreateProcessA 26173->26176 26174 8a2024a 26174->26126 26175->26174 26176->26174 26179 6c6d051 WriteProcessMemory 26177->26179 26180 6c6d058 WriteProcessMemory 26177->26180 26178 8a20384 26179->26178 26180->26178 26182 8a205f4 26181->26182 26184 6c6c9d0 ResumeThread 26182->26184 26185 6c6c9d8 ResumeThread 26182->26185 26183 8a20b94 26184->26183 26185->26183 26187 8a2044d 26186->26187 26188 8a20c6f 26187->26188 26190 6c6d051 WriteProcessMemory 26187->26190 26191 6c6d058 WriteProcessMemory 26187->26191 26189 8a20c4e 26190->26189 26191->26189 26245 6c6cf91 26192->26245 26249 6c6cf98 26192->26249 26193 8a202ff 26197 6c6d051 WriteProcessMemory 26193->26197 26198 6c6d058 WriteProcessMemory 26193->26198 26194 8a20c4e 26197->26194 26198->26194 26201 8a20073 26199->26201 26200 8a2019b 26200->26126 26201->26200 26203 6c6d2e0 CreateProcessA 26201->26203 26204 6c6d2d9 CreateProcessA 26201->26204 26202 8a2024a 26202->26126 26203->26202 26204->26202 26206 6c6c9d8 ResumeThread 26205->26206 26208 6c6ca49 26206->26208 26208->26134 26210 6c6ca18 ResumeThread 26209->26210 26212 6c6ca49 26210->26212 26212->26134 26214 6c6d148 ReadProcessMemory 26213->26214 26216 6c6d1d7 26214->26216 26216->26138 26218 6c6d193 ReadProcessMemory 26217->26218 26220 6c6d1d7 26218->26220 26220->26138 26222 6c6cacd Wow64SetThreadContext 26221->26222 26224 6c6cb15 26222->26224 26224->26149 26226 6c6cacd Wow64SetThreadContext 26225->26226 26228 6c6cb15 26226->26228 26228->26149 26230 6c6d058 WriteProcessMemory 26229->26230 26232 6c6d0f7 26230->26232 26232->26153 26234 6c6d0a0 WriteProcessMemory 26233->26234 26236 6c6d0f7 26234->26236 26236->26153 26238 6c6d369 CreateProcessA 26237->26238 26240 6c6d52b 26238->26240 26242 6c6d369 CreateProcessA 26241->26242 26244 6c6d52b 26242->26244 26246 6c6cfd8 VirtualAllocEx 26245->26246 26248 6c6d015 26246->26248 26248->26193 26250 6c6cfd8 VirtualAllocEx 26249->26250 26252 6c6d015 26250->26252 26252->26193 26265 8a21390 26266 8a2151b 26265->26266 26268 8a213b6 26265->26268 26268->26266 26269 8a20e9c 26268->26269 26270 8a21610 PostMessageW 26269->26270 26271 8a2167c 26270->26271 26271->26268 26255 9dd7f8 26256 9dd83e GetCurrentProcess 26255->26256 26258 9dd889 26256->26258 26259 9dd890 GetCurrentThread 26256->26259 26258->26259 26260 9dd8cd GetCurrentProcess 26259->26260 26261 9dd8c6 26259->26261 26262 9dd903 GetCurrentThreadId 26260->26262 26261->26260 26264 9dd95c 26262->26264 26272 9d4668 26273 9d467a 26272->26273 26274 9d4686 26273->26274 26278 9d4778 26273->26278 26283 9d4204 26274->26283 26276 9d46a5 26279 9d479d 26278->26279 26287 9d4879 26279->26287 26291 9d4888 26279->26291 26284 9d420f 26283->26284 26299 9d5e78 26284->26299 26286 9d77cc 26286->26276 26289 9d4888 26287->26289 26288 9d498c 26289->26288 26295 9d44e4 26289->26295 26293 9d48af 26291->26293 26292 9d498c 26293->26292 26294 9d44e4 CreateActCtxA 26293->26294 26294->26292 26296 9d5918 CreateActCtxA 26295->26296 26298 9d59db 26296->26298 26298->26298 26300 9d5e83 26299->26300 26303 9d73b0 26300->26303 26302 9d794d 26302->26286 26304 9d73bb 26303->26304 26307 9d73e0 26304->26307 26306 9d7a22 26306->26302 26308 9d73eb 26307->26308 26311 9d7410 26308->26311 26310 9d7b25 26310->26306 26312 9d741b 26311->26312 26313 9d8d93 26312->26313 26315 9db440 26312->26315 26313->26310 26316 9db450 26315->26316 26320 9db478 26316->26320 26323 9db468 26316->26323 26317 9db456 26317->26313 26327 9db55f 26320->26327 26321 9db487 26321->26317 26324 9db478 26323->26324 26326 9db55f 2 API calls 26324->26326 26325 9db487 26325->26317 26326->26325 26328 9db570 26327->26328 26330 9db5a4 26328->26330 26335 9db7f8 26328->26335 26339 9db808 26328->26339 26329 9db59c 26329->26330 26331 9db7a8 GetModuleHandleW 26329->26331 26330->26321 26332 9db7d5 26331->26332 26332->26321 26336 9db808 26335->26336 26338 9db841 26336->26338 26343 9dafb0 26336->26343 26338->26329 26340 9db81c 26339->26340 26341 9dafb0 LoadLibraryExW 26340->26341 26342 9db841 26340->26342 26341->26342 26342->26329 26344 9db9e8 LoadLibraryExW 26343->26344 26346 9dba61 26344->26346 26346->26338 26253 9dda40 DuplicateHandle 26254 9ddad6 26253->26254 26347 9dd6e0 26349 9dd6ed 26347->26349 26348 9dd727 26349->26348 26351 9dd018 26349->26351 26352 9dd023 26351->26352 26353 9de038 26352->26353 26355 9dd144 26352->26355 26356 9dd14f 26355->26356 26357 9d7410 2 API calls 26356->26357 26358 9de0a7 26357->26358 26358->26353

                                            Executed Functions

                                            Function 009DD7F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 302 9dd7f8-9dd887 GetCurrentProcess 306 9dd889-9dd88f 302->306 307 9dd890-9dd8c4 GetCurrentThread 302->307 306->307 308 9dd8cd-9dd901 GetCurrentProcess 307->308 309 9dd8c6-9dd8cc 307->309 310 9dd90a-9dd922 308->310 311 9dd903-9dd909 308->311 309->308 315 9dd92b-9dd95a GetCurrentThreadId 310->315 311->310 316 9dd95c-9dd962 315->316 317 9dd963-9dd9c5 315->317 316->317
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 009DD876
                                            • GetCurrentThread.KERNEL32 ref: 009DD8B3
                                            • GetCurrentProcess.KERNEL32 ref: 009DD8F0
                                            • GetCurrentThreadId.KERNEL32 ref: 009DD949
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 151b8a0c25ee1ada9f12a763f1d1e24d74f185cc76bdec4febc5161f1704e278
                                            • Instruction ID: fece597b62c0bf5d313293fc7739639a61beac851c94787eed85af329573948a
                                            • Opcode Fuzzy Hash: 151b8a0c25ee1ada9f12a763f1d1e24d74f185cc76bdec4febc5161f1704e278
                                            • Instruction Fuzzy Hash: B95137B09013098FDB14DFAAD548B9EBBF1EF88314F20C46AE059A7360D774A944CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D2D9 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 377 6c6d2d9-6c6d375 379 6c6d377-6c6d381 377->379 380 6c6d3ae-6c6d3ce 377->380 379->380 381 6c6d383-6c6d385 379->381 385 6c6d407-6c6d436 380->385 386 6c6d3d0-6c6d3da 380->386 383 6c6d387-6c6d391 381->383 384 6c6d3a8-6c6d3ab 381->384 387 6c6d395-6c6d3a4 383->387 388 6c6d393 383->388 384->380 396 6c6d46f-6c6d529 CreateProcessA 385->396 397 6c6d438-6c6d442 385->397 386->385 389 6c6d3dc-6c6d3de 386->389 387->387 390 6c6d3a6 387->390 388->387 391 6c6d3e0-6c6d3ea 389->391 392 6c6d401-6c6d404 389->392 390->384 394 6c6d3ee-6c6d3fd 391->394 395 6c6d3ec 391->395 392->385 394->394 398 6c6d3ff 394->398 395->394 408 6c6d532-6c6d5b8 396->408 409 6c6d52b-6c6d531 396->409 397->396 399 6c6d444-6c6d446 397->399 398->392 401 6c6d448-6c6d452 399->401 402 6c6d469-6c6d46c 399->402 403 6c6d456-6c6d465 401->403 404 6c6d454 401->404 402->396 403->403 405 6c6d467 403->405 404->403 405->402 419 6c6d5ba-6c6d5be 408->419 420 6c6d5c8-6c6d5cc 408->420 409->408 419->420 421 6c6d5c0 419->421 422 6c6d5ce-6c6d5d2 420->422 423 6c6d5dc-6c6d5e0 420->423 421->420 422->423 424 6c6d5d4 422->424 425 6c6d5e2-6c6d5e6 423->425 426 6c6d5f0-6c6d5f4 423->426 424->423 425->426 427 6c6d5e8 425->427 428 6c6d606-6c6d60d 426->428 429 6c6d5f6-6c6d5fc 426->429 427->426 430 6c6d624 428->430 431 6c6d60f-6c6d61e 428->431 429->428 433 6c6d625 430->433 431->430 433->433
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C6D516
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 6840e3c03fbf84558aa25d369339407b2c8cb85a4e63212e1edee2e813c977b5
                                            • Instruction ID: 0546cca2b92594ef2a33510704904c0061c5e9a5b30ea08969489090be20aacb
                                            • Opcode Fuzzy Hash: 6840e3c03fbf84558aa25d369339407b2c8cb85a4e63212e1edee2e813c977b5
                                            • Instruction Fuzzy Hash: D6917071E00219CFDB60DF69C8807EDBBB2FF44314F1485A9E809A7280DB74AA85CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D2E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 434 6c6d2e0-6c6d375 436 6c6d377-6c6d381 434->436 437 6c6d3ae-6c6d3ce 434->437 436->437 438 6c6d383-6c6d385 436->438 442 6c6d407-6c6d436 437->442 443 6c6d3d0-6c6d3da 437->443 440 6c6d387-6c6d391 438->440 441 6c6d3a8-6c6d3ab 438->441 444 6c6d395-6c6d3a4 440->444 445 6c6d393 440->445 441->437 453 6c6d46f-6c6d529 CreateProcessA 442->453 454 6c6d438-6c6d442 442->454 443->442 446 6c6d3dc-6c6d3de 443->446 444->444 447 6c6d3a6 444->447 445->444 448 6c6d3e0-6c6d3ea 446->448 449 6c6d401-6c6d404 446->449 447->441 451 6c6d3ee-6c6d3fd 448->451 452 6c6d3ec 448->452 449->442 451->451 455 6c6d3ff 451->455 452->451 465 6c6d532-6c6d5b8 453->465 466 6c6d52b-6c6d531 453->466 454->453 456 6c6d444-6c6d446 454->456 455->449 458 6c6d448-6c6d452 456->458 459 6c6d469-6c6d46c 456->459 460 6c6d456-6c6d465 458->460 461 6c6d454 458->461 459->453 460->460 462 6c6d467 460->462 461->460 462->459 476 6c6d5ba-6c6d5be 465->476 477 6c6d5c8-6c6d5cc 465->477 466->465 476->477 478 6c6d5c0 476->478 479 6c6d5ce-6c6d5d2 477->479 480 6c6d5dc-6c6d5e0 477->480 478->477 479->480 481 6c6d5d4 479->481 482 6c6d5e2-6c6d5e6 480->482 483 6c6d5f0-6c6d5f4 480->483 481->480 482->483 484 6c6d5e8 482->484 485 6c6d606-6c6d60d 483->485 486 6c6d5f6-6c6d5fc 483->486 484->483 487 6c6d624 485->487 488 6c6d60f-6c6d61e 485->488 486->485 490 6c6d625 487->490 488->487 490->490
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C6D516
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 40a122c62c7533bb8e116df7e35a1461c771ff4f0bc9c79976c1fea20e684df8
                                            • Instruction ID: 4b4bb3335f4fa33b7ceb0c0be5ae504740229242b5a979a6debd99f08d9e313d
                                            • Opcode Fuzzy Hash: 40a122c62c7533bb8e116df7e35a1461c771ff4f0bc9c79976c1fea20e684df8
                                            • Instruction Fuzzy Hash: 0E916F71E00219DFDB50DFA9C8817EDBBB2FF44314F1485A9E809A7280DB74AA85CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009DB55F Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 491 9db55f-9db57f 493 9db5ab-9db5af 491->493 494 9db581-9db58e call 9d8ac0 491->494 496 9db5b1-9db5bb 493->496 497 9db5c3-9db604 493->497 500 9db5a4 494->500 501 9db590 494->501 496->497 503 9db606-9db60e 497->503 504 9db611-9db61f 497->504 500->493 547 9db596 call 9db7f8 501->547 548 9db596 call 9db808 501->548 503->504 505 9db621-9db626 504->505 506 9db643-9db645 504->506 508 9db628-9db62f call 9daf54 505->508 509 9db631 505->509 511 9db648-9db64f 506->511 507 9db59c-9db59e 507->500 510 9db6e0-9db7a0 507->510 513 9db633-9db641 508->513 509->513 542 9db7a8-9db7d3 GetModuleHandleW 510->542 543 9db7a2-9db7a5 510->543 514 9db65c-9db663 511->514 515 9db651-9db659 511->515 513->511 516 9db665-9db66d 514->516 517 9db670-9db679 call 9daf64 514->517 515->514 516->517 523 9db67b-9db683 517->523 524 9db686-9db68b 517->524 523->524 525 9db68d-9db694 524->525 526 9db6a9-9db6b6 524->526 525->526 528 9db696-9db6a6 call 9daf74 call 9daf84 525->528 533 9db6d9-9db6df 526->533 534 9db6b8-9db6d6 526->534 528->526 534->533 544 9db7dc-9db7f0 542->544 545 9db7d5-9db7db 542->545 543->542 545->544 547->507 548->507
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63738ef3251ed30e081040a70ed595025b92dee94e6a25bbefa811bb95eb806b
                                            • Instruction ID: 590b7ef1aeec99ca91ddc3d534dc5ab840badaa1fbb3c488ecb062649885b603
                                            • Opcode Fuzzy Hash: 63738ef3251ed30e081040a70ed595025b92dee94e6a25bbefa811bb95eb806b
                                            • Instruction Fuzzy Hash: 25812170A00B05CFDB24DF29D54479ABBF5BF88310F14892EE08A9BB51DB74E949CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009D44E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 549 9d44e4-9d59d9 CreateActCtxA 552 9d59db-9d59e1 549->552 553 9d59e2-9d5a3c 549->553 552->553 560 9d5a3e-9d5a41 553->560 561 9d5a4b-9d5a4f 553->561 560->561 562 9d5a51-9d5a5d 561->562 563 9d5a60 561->563 562->563 564 9d5a61 563->564 564->564
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 009D59C9
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 708f138761c9b2b1789db78d864b50cb70c12b61603a014eab0418c432f95638
                                            • Instruction ID: 851c0184a16420c1af1fce8afb7966236a78211bc50ac9b3f9be0f397437d5cc
                                            • Opcode Fuzzy Hash: 708f138761c9b2b1789db78d864b50cb70c12b61603a014eab0418c432f95638
                                            • Instruction Fuzzy Hash: A641F1B0C00B19CBDB24CFA9C884BDDBBB5BF48304F2480AAD408AB251DB756945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009D590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 566 9d590c-9d59d9 CreateActCtxA 568 9d59db-9d59e1 566->568 569 9d59e2-9d5a3c 566->569 568->569 576 9d5a3e-9d5a41 569->576 577 9d5a4b-9d5a4f 569->577 576->577 578 9d5a51-9d5a5d 577->578 579 9d5a60 577->579 578->579 580 9d5a61 579->580 580->580
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 009D59C9
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 84d02e01849b9e4dd75eaa3cd352116f20df5f6c6ede0f3d5516c6ae93b3d61a
                                            • Instruction ID: 22311d3285ff1be9df8067c1e9c451a256c8de6794e718b411428be709fccd6d
                                            • Opcode Fuzzy Hash: 84d02e01849b9e4dd75eaa3cd352116f20df5f6c6ede0f3d5516c6ae93b3d61a
                                            • Instruction Fuzzy Hash: 3141F2B1C00B19CFDB24CFA9C9847CEBBB5BF48304F2481AAD408AB255DB756946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D051 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 582 6c6d051-6c6d0a6 585 6c6d0b6-6c6d0f5 WriteProcessMemory 582->585 586 6c6d0a8-6c6d0b4 582->586 588 6c6d0f7-6c6d0fd 585->588 589 6c6d0fe-6c6d12e 585->589 586->585 588->589
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C6D0E8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 141881f3cf092042fe49010ceb1b540be617842ac2ec2145aa42b79de5287600
                                            • Instruction ID: 3e844c74862d2beb2dfbeb15e3fc31783daf6ff357a6fe58fdbb0d5f22e7290b
                                            • Opcode Fuzzy Hash: 141881f3cf092042fe49010ceb1b540be617842ac2ec2145aa42b79de5287600
                                            • Instruction Fuzzy Hash: C1217AB19003599FCB10CFAAC880BDEBBF4FF48310F10842DE919A7240C775A541CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 593 6c6d058-6c6d0a6 595 6c6d0b6-6c6d0f5 WriteProcessMemory 593->595 596 6c6d0a8-6c6d0b4 593->596 598 6c6d0f7-6c6d0fd 595->598 599 6c6d0fe-6c6d12e 595->599 596->595 598->599
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C6D0E8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 25d5879b498fdcf918ef24c2c5d8e00f3fc84926e08874d77ba4e78fa2033c69
                                            • Instruction ID: 20860cedf14d8ffbec48767991374f5490ac9d7c8a626f6e68f06990fc3ba543
                                            • Opcode Fuzzy Hash: 25d5879b498fdcf918ef24c2c5d8e00f3fc84926e08874d77ba4e78fa2033c69
                                            • Instruction Fuzzy Hash: 9B2169B19003499FCB10CFAAC980BDEBBF5FF48310F108429E919A7240C779A945CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6CA80 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 603 6c6ca80-6c6cad3 605 6c6cad5-6c6cae1 603->605 606 6c6cae3-6c6cb13 Wow64SetThreadContext 603->606 605->606 608 6c6cb15-6c6cb1b 606->608 609 6c6cb1c-6c6cb4c 606->609 608->609
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6CB06
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 2e2a52b3c2acb40e0e6bc8f6dd78692b7dc9e7d4ccfe49fdafdb6e03b04985ac
                                            • Instruction ID: 3a14948a701227629693f167b403988df5b8d4e36880ccc8484faee7d2cddf27
                                            • Opcode Fuzzy Hash: 2e2a52b3c2acb40e0e6bc8f6dd78692b7dc9e7d4ccfe49fdafdb6e03b04985ac
                                            • Instruction Fuzzy Hash: EA2148B19003098FDB10DFAAC4857EEBFF4EF88324F148429D498A7251CB789545CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D147 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 613 6c6d147-6c6d1d5 ReadProcessMemory 617 6c6d1d7-6c6d1dd 613->617 618 6c6d1de-6c6d20e 613->618 617->618
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C6D1C8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 6d3b310ff8697344edd414356de2843e400aef5d0f4460670f4fdbbf16a59b0a
                                            • Instruction ID: 130f0798ccbfabd0dd95c16ce06c57b7fcded54ecdfba98ab7737f938eb5f76c
                                            • Opcode Fuzzy Hash: 6d3b310ff8697344edd414356de2843e400aef5d0f4460670f4fdbbf16a59b0a
                                            • Instruction Fuzzy Hash: 092128B19003599FCB10DFAAC881AEEFBF5FF48320F108429E559A7250C778A544CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6D148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C6D1C8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 1661ed95e53506c6c34eda345ea7f6df4f11452f750cc0b3b460b82f4a8248b3
                                            • Instruction ID: 6b710e0c0d87c6b24df2a7c697b44d0d94cf226e817e30db5b1bcd64c2b52290
                                            • Opcode Fuzzy Hash: 1661ed95e53506c6c34eda345ea7f6df4f11452f750cc0b3b460b82f4a8248b3
                                            • Instruction Fuzzy Hash: A42128B19003599FCB10DFAAC880AEEFBF5FF48320F108429E559A7250C778A544CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6CA88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 622 6c6ca88-6c6cad3 624 6c6cad5-6c6cae1 622->624 625 6c6cae3-6c6cb13 Wow64SetThreadContext 622->625 624->625 627 6c6cb15-6c6cb1b 625->627 628 6c6cb1c-6c6cb4c 625->628 627->628
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C6CB06
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: a25d5dff4316f786436211fa2de29f77c2427c823e61e390501aac8f1a4f2a58
                                            • Instruction ID: 5419ad6ccf598ca1e1f435e8dfd2d6f9467fe3b4a14963436d4050f7ea8644fb
                                            • Opcode Fuzzy Hash: a25d5dff4316f786436211fa2de29f77c2427c823e61e390501aac8f1a4f2a58
                                            • Instruction Fuzzy Hash: 272118B1D003098FDB10DFAAC4857EEBBF4EF88324F14842AD459A7241DB789945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009DDA40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009DDAC7
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 395f4b36835492661d4dead42e38079fef299f303f8026136edede533238659f
                                            • Instruction ID: f37cb1fb54d4ceefc2c2c55af781dcf4ef4fd0b49aa9eea87a7d3e9791f47131
                                            • Opcode Fuzzy Hash: 395f4b36835492661d4dead42e38079fef299f303f8026136edede533238659f
                                            • Instruction Fuzzy Hash: 6B21E4B59003089FDB10CFAAD584ADEFBF8EB48320F14841AE914A7310D374A940CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009DAFB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009DB841,00000800,00000000,00000000), ref: 009DBA52
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: ca7262e305e42932d6c08929eab08fd75b7d040d43c727ae6228cbbbc6d63eef
                                            • Instruction ID: b08678fa88b06fe7fc5ab838cff162df71c4a050275631d93bdfba06fd084faf
                                            • Opcode Fuzzy Hash: ca7262e305e42932d6c08929eab08fd75b7d040d43c727ae6228cbbbc6d63eef
                                            • Instruction Fuzzy Hash: 071114B6900349DFDB20CF9AC484ADEFBF8EB48310F10842AE519A7310C375A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6CF91 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C6D006
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 86c466035dbbde30f79e17d5c493ef8d72859e6ac825bc6037d7f87ae3b3fa1a
                                            • Instruction ID: 02ab877c1d21613c55e4ddb7eedb76acba32055cab1b749f205e336278a3df32
                                            • Opcode Fuzzy Hash: 86c466035dbbde30f79e17d5c493ef8d72859e6ac825bc6037d7f87ae3b3fa1a
                                            • Instruction Fuzzy Hash: 051159B29002499FCB20DFA9C844BDEBFF1EF88320F24841DE455A7250C7359545CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6CF98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C6D006
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 1f7debc4b31e22ad506bf3af561bcb4e6b2d44001edbbf7e90e6f47657749a77
                                            • Instruction ID: 758e5b27bbce8991bdaaf040ce7287131490b98f4f798cb547caa0daca2ff9f5
                                            • Opcode Fuzzy Hash: 1f7debc4b31e22ad506bf3af561bcb4e6b2d44001edbbf7e90e6f47657749a77
                                            • Instruction Fuzzy Hash: 8E1137B19002499FCB10DFAAC844BDEFFF5EF88320F248419E559A7250C775A544CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6C9D0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 06C6CA3A
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 749b8abf6438d4eaf958b3714936a155929fdadb43b9a9c73939f9ec547d4fb4
                                            • Instruction ID: b12d6d0bb4f72e2431cab12aebfcc227d25b624c4a055aa32a9573b8166fe239
                                            • Opcode Fuzzy Hash: 749b8abf6438d4eaf958b3714936a155929fdadb43b9a9c73939f9ec547d4fb4
                                            • Instruction Fuzzy Hash: 6B1146B19003598FCB20DFAAC8857DEFBF4EF88324F248419D559A7240CB35A945CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009DB9E1 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009DB841,00000800,00000000,00000000), ref: 009DBA52
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 405c8a12136b49e73a91b7fa16d95f2bc674d214cbdfee7f72c4861d1c2e94d2
                                            • Instruction ID: 5289f3ed2c6bafe8a8500d0bca275cade8cf7e18f84a6f22479570caf52e92ec
                                            • Opcode Fuzzy Hash: 405c8a12136b49e73a91b7fa16d95f2bc674d214cbdfee7f72c4861d1c2e94d2
                                            • Instruction Fuzzy Hash: C111E2B6900349CFDB20CF9AC584ADEFBF5AB88310F14842ED519AB710C779A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06C6C9D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 06C6CA3A
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1903856598.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6c60000_dnshost.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 5b2aefbe3cb12521e6c1d7b4846fa2b857ed53c7a09c48120608ba2505e95456
                                            • Instruction ID: 8d288682012f4b16b28dc65f793a6a87873e3c3105c55f3a511437789d15ddfa
                                            • Opcode Fuzzy Hash: 5b2aefbe3cb12521e6c1d7b4846fa2b857ed53c7a09c48120608ba2505e95456
                                            • Instruction Fuzzy Hash: 99113AB1D003498FCB10DFAAC4457DEFBF4EB88324F248419D559A7250CB75A544CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08A20E9C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 08A2166D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1905193109.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_8a20000_dnshost.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 6e0ae4369b8bd26ef61f5b5a1203d790ae479623360378126d12a1082b45251c
                                            • Instruction ID: 72cc61283e93e350f311a6de26f3cd3880f1b947fb13ce8764799a09f0eb90d3
                                            • Opcode Fuzzy Hash: 6e0ae4369b8bd26ef61f5b5a1203d790ae479623360378126d12a1082b45251c
                                            • Instruction Fuzzy Hash: 4C1133B5800348DFDB20DF9AC484BDEFBF8EB48320F148459E518A7200C375A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 009DB760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 009DB7C6
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896425292.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_9d0000_dnshost.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: fb1fc15b22c3d7bc349988b5f3ff42a6f737a6f58ba7dfb9894649f6f27bb9c3
                                            • Instruction ID: b2521f5988669ff79b85b97da5832e01746f75872cc193f55e2a318753d556ea
                                            • Opcode Fuzzy Hash: fb1fc15b22c3d7bc349988b5f3ff42a6f737a6f58ba7dfb9894649f6f27bb9c3
                                            • Instruction Fuzzy Hash: 5311CDB5800249CFCB10DF9AD444ADEFBF8AB88324F15842AD459A7610D375A545CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08A21608 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 08A2166D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1905193109.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_8a20000_dnshost.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: deeb922585f182e3a3b8dfc58b39571c88e13ccb54008b231594c9e25b7ffa1d
                                            • Instruction ID: b8998050b0833567da698bd56590856b431fc619c6cecb31a6f7cd7bd6b62739
                                            • Opcode Fuzzy Hash: deeb922585f182e3a3b8dfc58b39571c88e13ccb54008b231594c9e25b7ffa1d
                                            • Instruction Fuzzy Hash: 7A1133B5800359DFDB20CF9AD484BEEBFF4EB48320F148419E458A7210C375A944CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0092D1FC Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896181864.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_92d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d035acc6dd1e44ca8db808c0d7715a04445e56668ff6e77ee87b93a8a6e1f9f6
                                            • Instruction ID: 90365531e2f31c869ba5f1f4236b0ed2c020c5c74db1161701701f49e4562448
                                            • Opcode Fuzzy Hash: d035acc6dd1e44ca8db808c0d7715a04445e56668ff6e77ee87b93a8a6e1f9f6
                                            • Instruction Fuzzy Hash: 9B210371504240DFDB05DF14E9C4B2ABF69FB88314F20C569ED194B25AC33AD816CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0092D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896181864.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_92d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 626b69a9eb2ed7de4870fe6ac818e996b1c3b2c9104432d73e67f9e887478688
                                            • Instruction ID: 510dcb68683d3a975e58f1fb4ddd3453d9d906aa75df19c1190f568fd7030882
                                            • Opcode Fuzzy Hash: 626b69a9eb2ed7de4870fe6ac818e996b1c3b2c9104432d73e67f9e887478688
                                            • Instruction Fuzzy Hash: 70212571504240DFDB05EF14E9C0F26BFA5FB98318F30C569E8094B25EC37AD856CAA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0093D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896240413.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_93d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc216c2c4548338e400219af9033d4b8435fb2641d7f5a3d9fa178e43043f354
                                            • Instruction ID: 17396a5daf88f4ddef41517293c07bc25608c207764ac11d05f7324912cf1dcc
                                            • Opcode Fuzzy Hash: fc216c2c4548338e400219af9033d4b8435fb2641d7f5a3d9fa178e43043f354
                                            • Instruction Fuzzy Hash: AB212671504200EFDB05DF14E9D0B27BBA5FB84314F20CA6DE8594B296C73AD846CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0093D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896240413.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_93d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69d5a7294cf00ce3248ad916411ce25743b9baab3957838f0442c0bb0d3b4548
                                            • Instruction ID: f2f8f8aa0c3dab5dd7159a058ef86b1fac5c9bccc4129195345cf59cf7077ec5
                                            • Opcode Fuzzy Hash: 69d5a7294cf00ce3248ad916411ce25743b9baab3957838f0442c0bb0d3b4548
                                            • Instruction Fuzzy Hash: B1210775504200DFDB18DF14E5D4B26BFA5FB84714F20C96DD8494B256C33AD847CE61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0093D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896240413.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_93d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4da8e6faaf913d6cf277a410e8c71385abbc514630f9bc3597f65cc33c4945cf
                                            • Instruction ID: ae9632d955f4a0db7e1a830027a01e1835b3838b9a15dcae1d4849ee289ff2cd
                                            • Opcode Fuzzy Hash: 4da8e6faaf913d6cf277a410e8c71385abbc514630f9bc3597f65cc33c4945cf
                                            • Instruction Fuzzy Hash: CC218E755093808FCB06CF24D9A4715BF71EB46314F28C5EAD8498F2A7C33A980ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0092D1F7 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896181864.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_92d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                            • Instruction ID: 5f568a84108fc4ed895fb234962345ed9a43d078fafc4dbc2df52b7fa1b1c46b
                                            • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                            • Instruction Fuzzy Hash: 8221B176504240DFDB06CF50D9C4B56BF72FB94314F24C5A9DD090B65AC33AD82ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0092D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896181864.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_92d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: ef0cf279a3372783b3d0e35928f7c2d98077b31444f68e97d97a485f5311dba5
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: B211D376504280CFDB16CF14D5C4B16BF71FB94318F24C6A9E8494B65AC336D85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0093D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.1896240413.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_93d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction ID: 1c71733b9a95aaee51f87c4349aecdd3ca5b4eed08f35dc0c4ae2ba1e813d58b
                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                            • Instruction Fuzzy Hash: 6811BB75504280DFDB02CF10D5D4B16BBA1FB84314F24C6AAD8494B296C33AD80ACF62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:8.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:49
                                            Total number of Limit Nodes:10
                                            execution_graph 14278 137ac90 14282 137ad78 14278->14282 14290 137ad88 14278->14290 14279 137ac9f 14283 137ad99 14282->14283 14284 137adbc 14282->14284 14283->14284 14298 137b020 14283->14298 14302 137b010 14283->14302 14284->14279 14285 137afc0 GetModuleHandleW 14287 137afed 14285->14287 14286 137adb4 14286->14284 14286->14285 14287->14279 14291 137ad99 14290->14291 14293 137adbc 14290->14293 14291->14293 14296 137b020 LoadLibraryExW 14291->14296 14297 137b010 LoadLibraryExW 14291->14297 14292 137adb4 14292->14293 14294 137afc0 GetModuleHandleW 14292->14294 14293->14279 14295 137afed 14294->14295 14295->14279 14296->14292 14297->14292 14299 137b034 14298->14299 14301 137b059 14299->14301 14306 137a148 14299->14306 14301->14286 14303 137b034 14302->14303 14304 137a148 LoadLibraryExW 14303->14304 14305 137b059 14303->14305 14304->14305 14305->14286 14307 137b200 LoadLibraryExW 14306->14307 14309 137b279 14307->14309 14309->14301 14320 137d660 DuplicateHandle 14321 137d6f6 14320->14321 14322 137dd40 14323 137dd6e 14322->14323 14325 137de3f 14323->14325 14326 137dd97 14323->14326 14328 137d100 14323->14328 14326->14325 14327 137de3a KiUserCallbackDispatcher 14326->14327 14327->14325 14329 137d10b 14328->14329 14332 137d174 14329->14332 14331 137e355 14331->14326 14333 137d17f 14332->14333 14334 137e410 GetFocus 14333->14334 14335 137e409 14333->14335 14334->14335 14335->14331 14310 137d418 14311 137d45e GetCurrentProcess 14310->14311 14313 137d4b0 GetCurrentThread 14311->14313 14314 137d4a9 14311->14314 14315 137d4e6 14313->14315 14316 137d4ed GetCurrentProcess 14313->14316 14314->14313 14315->14316 14319 137d523 14316->14319 14317 137d54b GetCurrentThreadId 14318 137d57c 14317->14318 14319->14317

                                            Executed Functions

                                            Function 0137D408 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 526 137d408-137d4a7 GetCurrentProcess 531 137d4b0-137d4e4 GetCurrentThread 526->531 532 137d4a9-137d4af 526->532 533 137d4e6-137d4ec 531->533 534 137d4ed-137d521 GetCurrentProcess 531->534 532->531 533->534 536 137d523-137d529 534->536 537 137d52a-137d545 call 137d5e7 534->537 536->537 540 137d54b-137d57a GetCurrentThreadId 537->540 541 137d583-137d5e5 540->541 542 137d57c-137d582 540->542 542->541
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0137D496
                                            • GetCurrentThread.KERNEL32 ref: 0137D4D3
                                            • GetCurrentProcess.KERNEL32 ref: 0137D510
                                            • GetCurrentThreadId.KERNEL32 ref: 0137D569
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 2bf96bc0e4d57ddc3d646fe6ecdc3dca014ac84cba7db736e1d5a9e9ee57d1e6
                                            • Instruction ID: 5db31af46adb9ef9e90c4afa3353ee8fb19d07d21d7fd84432fa9cdf1acb0d18
                                            • Opcode Fuzzy Hash: 2bf96bc0e4d57ddc3d646fe6ecdc3dca014ac84cba7db736e1d5a9e9ee57d1e6
                                            • Instruction Fuzzy Hash: 165145B09003099FDB14DFA9D548BDEBBF1EF48318F24845AE059A73A0DB34A985CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 549 137d418-137d4a7 GetCurrentProcess 553 137d4b0-137d4e4 GetCurrentThread 549->553 554 137d4a9-137d4af 549->554 555 137d4e6-137d4ec 553->555 556 137d4ed-137d521 GetCurrentProcess 553->556 554->553 555->556 558 137d523-137d529 556->558 559 137d52a-137d545 call 137d5e7 556->559 558->559 562 137d54b-137d57a GetCurrentThreadId 559->562 563 137d583-137d5e5 562->563 564 137d57c-137d582 562->564 564->563
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 0137D496
                                            • GetCurrentThread.KERNEL32 ref: 0137D4D3
                                            • GetCurrentProcess.KERNEL32 ref: 0137D510
                                            • GetCurrentThreadId.KERNEL32 ref: 0137D569
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: ae40ee16f351ab764525e72dfe20dcb119d20e3324def0042d4d4acb066ee667
                                            • Instruction ID: 29f7fe56b0529922c36e54de9cf6562943ff92a41c3516639ec34e9defa031f3
                                            • Opcode Fuzzy Hash: ae40ee16f351ab764525e72dfe20dcb119d20e3324def0042d4d4acb066ee667
                                            • Instruction Fuzzy Hash: BD5135B09003099FDB14DFA9D548BDEBBF1AF48318F248459E059A7360DB34A985CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137AD88 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 571 137ad88-137ad97 572 137adc3-137adc7 571->572 573 137ad99-137ada6 call 137a0e4 571->573 575 137addb-137ae1c 572->575 576 137adc9-137add3 572->576 578 137adbc 573->578 579 137ada8 573->579 582 137ae1e-137ae26 575->582 583 137ae29-137ae37 575->583 576->575 578->572 627 137adae call 137b020 579->627 628 137adae call 137b010 579->628 582->583 584 137ae5b-137ae5d 583->584 585 137ae39-137ae3e 583->585 587 137ae60-137ae67 584->587 588 137ae40-137ae47 call 137a0f0 585->588 589 137ae49 585->589 586 137adb4-137adb6 586->578 590 137aef8-137afb8 586->590 593 137ae74-137ae7b 587->593 594 137ae69-137ae71 587->594 591 137ae4b-137ae59 588->591 589->591 622 137afc0-137afeb GetModuleHandleW 590->622 623 137afba-137afbd 590->623 591->587 597 137ae7d-137ae85 593->597 598 137ae88-137ae91 call 137a100 593->598 594->593 597->598 602 137ae93-137ae9b 598->602 603 137ae9e-137aea3 598->603 602->603 604 137aea5-137aeac 603->604 605 137aec1-137aece 603->605 604->605 607 137aeae-137aebe call 137a110 call 137a120 604->607 612 137aef1-137aef7 605->612 613 137aed0-137aeee 605->613 607->605 613->612 624 137aff4-137b008 622->624 625 137afed-137aff3 622->625 623->622 625->624 627->586 628->586
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137AFDE
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 003ede5c7d8e723e1be5580b2f6c2c0bcec7d8f9e9966ed4bf57e14ec1dc64fd
                                            • Instruction ID: 71d4800b28f11a28eb779ee6f0c45ab35448f8d5e736128a4d80c19cec099405
                                            • Opcode Fuzzy Hash: 003ede5c7d8e723e1be5580b2f6c2c0bcec7d8f9e9966ed4bf57e14ec1dc64fd
                                            • Instruction Fuzzy Hash: 23712370A00B058FDB24DF29D45475ABBF5BF88308F048A2DE48A97B50DB78E949CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137D658 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 629 137d658-137d6f4 DuplicateHandle 630 137d6f6-137d6fc 629->630 631 137d6fd-137d71a 629->631 630->631
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D6E7
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 9aa18345e691e580688ca3c31dd31f55b61a9cb5a47b73fd9cfa58957aeef703
                                            • Instruction ID: 099ea925e8f50e8e24f2d18bee4071cf51bd06933185c7627122a81b54a067c6
                                            • Opcode Fuzzy Hash: 9aa18345e691e580688ca3c31dd31f55b61a9cb5a47b73fd9cfa58957aeef703
                                            • Instruction Fuzzy Hash: 9721FFB59002489FDB10CFAAD884AEEBFF4EB48320F14841AE958A7250C379A944CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 634 137d660-137d6f4 DuplicateHandle 635 137d6f6-137d6fc 634->635 636 137d6fd-137d71a 634->636 635->636
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137D6E7
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a5f61f3122720fa841d0e5b16ee7d9ac6f4329f8264944d327a6753ec7abe5c3
                                            • Instruction ID: 02ca2037f00186c6056cfb45ff73b047c193834712927cad6e989e20d22a0ecd
                                            • Opcode Fuzzy Hash: a5f61f3122720fa841d0e5b16ee7d9ac6f4329f8264944d327a6753ec7abe5c3
                                            • Instruction Fuzzy Hash: 2921E3B5900249DFDB10CF9AD584ADEBBF4FB48320F14841AE958A7210D378A944CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137A148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 639 137a148-137b240 641 137b242-137b245 639->641 642 137b248-137b277 LoadLibraryExW 639->642 641->642 643 137b280-137b29d 642->643 644 137b279-137b27f 642->644 644->643
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137B059,00000800,00000000,00000000), ref: 0137B26A
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 0d6ddafe9183f268cee50e302977ec57ca7006705d4bfcfb07e0bb8ed1379f6e
                                            • Instruction ID: e3f06ef169c7cadb5f74d551707e7010ac219d0a1339f74e436c426bf516b386
                                            • Opcode Fuzzy Hash: 0d6ddafe9183f268cee50e302977ec57ca7006705d4bfcfb07e0bb8ed1379f6e
                                            • Instruction Fuzzy Hash: 1C1112B6900349DFDB20CF9AD444ADEFBF4EB88724F10842AE559A7610C379A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137B1F8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 647 137b1f8-137b240 648 137b242-137b245 647->648 649 137b248-137b277 LoadLibraryExW 647->649 648->649 650 137b280-137b29d 649->650 651 137b279-137b27f 649->651 651->650
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137B059,00000800,00000000,00000000), ref: 0137B26A
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 13b3cee766d3246c2bf110a7fe5f68726d4f739a2df07301eb041ede0cc50dd6
                                            • Instruction ID: 566b20a468ac4c93e19657903e7349c2810e9c8350cb21f8ff06c463b1493a63
                                            • Opcode Fuzzy Hash: 13b3cee766d3246c2bf110a7fe5f68726d4f739a2df07301eb041ede0cc50dd6
                                            • Instruction Fuzzy Hash: DC1126B6D002498FDB20CFAAD444BDEFBF4EB88724F10852AD459A7210C379A545CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0137AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 654 137af78-137afb8 655 137afc0-137afeb GetModuleHandleW 654->655 656 137afba-137afbd 654->656 657 137aff4-137b008 655->657 658 137afed-137aff3 655->658 656->655 658->657
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137AFDE
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1935350402.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_1370000_dnshost.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9bd6523b6f6ca9484ace7d8611df1ad909d7c95a8e1d3c4dac798b1063b1a237
                                            • Instruction ID: d90d6558bceca3c93ab11dd8eba27927e670a16609d88fd1b2be55772368a4c3
                                            • Opcode Fuzzy Hash: 9bd6523b6f6ca9484ace7d8611df1ad909d7c95a8e1d3c4dac798b1063b1a237
                                            • Instruction Fuzzy Hash: D31113B5C00349CFDB20CF9AC844ADEFBF4AB48324F14841AD458A7250C379A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F8D4A0 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1934204957.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_f8d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7936a55726b63ec576abf0dd5a33da0c256b97a39edf9aadd81cc0e5adee933f
                                            • Instruction ID: 341a13a19c59f254d14f7892abf7dd2e61c1e270f4bd5c939de8f6fb398fdf5c
                                            • Opcode Fuzzy Hash: 7936a55726b63ec576abf0dd5a33da0c256b97a39edf9aadd81cc0e5adee933f
                                            • Instruction Fuzzy Hash: 68210672944204DFDB05EF14D9C0B66BF65FF94328F24C16AD9090E296C336D855E7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F9D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1934271106.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_f9d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2dea1724ac25138f8f148583caf82141a91b34883d9fa86c0fc4ddda4a91d749
                                            • Instruction ID: 70f76be29634bfdf87dbdc5ca8294843b1aff16d59f7c3c24ae648ec462446ad
                                            • Opcode Fuzzy Hash: 2dea1724ac25138f8f148583caf82141a91b34883d9fa86c0fc4ddda4a91d749
                                            • Instruction Fuzzy Hash: 6321F271A04200DFEF14DF24D984B26BBA5FB84324F30C569D94A4B2AAC33AD847DA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F9D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1934271106.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_f9d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 707fa7008e98249bba7d3a1c9673eac238e669a2a49b4321b6b32e48b9e244fd
                                            • Instruction ID: 1634cd27c0cca1f8c3848dfc8abae631a27821689e457f6b05f47ee623cf87aa
                                            • Opcode Fuzzy Hash: 707fa7008e98249bba7d3a1c9673eac238e669a2a49b4321b6b32e48b9e244fd
                                            • Instruction Fuzzy Hash: 582150755093808FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F8D49B Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000015.00000002.1934204957.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_21_2_f8d000_dnshost.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction ID: 7d3db0ed87095f6ed1575fdc16d67a64410d7c4c3492a980eeefa30e16ea4dfe
                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                            • Instruction Fuzzy Hash: D911DF76804240CFCB02DF04D9C4B56BF72FB94324F28C1AAD9090F256C336D85ADBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%