Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PasswordStealer.NET.bin

Overview

General Information

Sample Name:PasswordStealer.NET.bin (renamed file extension from bin to exe)
Analysis ID:576204
MD5:fb2ca93f987313108abdd4a6d687783a
SHA1:0783b8327a88aff87c627497d4333fd778da59be
SHA256:b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PasswordStealer.NET.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\PasswordStealer.NET.exe" MD5: FB2CA93F987313108ABDD4A6D687783A)
    • AppLaunch.exe (PID: 6788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x878fa:$s1: HawkEye Keylogger
  • 0x87963:$s1: HawkEye Keylogger
  • 0x80d3d:$s2: _ScreenshotLogger
  • 0x80d0a:$s3: _PasswordStealer
0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8881a:$s1: HawkEye Keylogger
    • 0x88883:$s1: HawkEye Keylogger
    • 0x81c5d:$s2: _ScreenshotLogger
    • 0x81c2a:$s3: _PasswordStealer
    00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x878fa:$s1: HawkEye Keylogger
      • 0x87963:$s1: HawkEye Keylogger
      • 0x80d3d:$s2: _ScreenshotLogger
      • 0x80d0a:$s3: _PasswordStealer
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x131b0:$a1: logins.json
      • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x13934:$s4: \mozsqlite3.dll
      • 0x121a4:$s5: SMTP Password
      12.3.AppLaunch.exe.8b2db5a.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        12.2.AppLaunch.exe.bc0834a.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x11bb0:$a1: logins.json
        • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x12334:$s4: \mozsqlite3.dll
        • 0x115a4:$s5: SMTP Password
        12.2.AppLaunch.exe.bc0834a.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          12.2.AppLaunch.exe.bc0834a.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          Click to see the 88 entries

          Sigma Signatures

          No Sigma rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PasswordStealer.NET.exeVirustotal: Detection: 85%Perma Link
          Source: PasswordStealer.NET.exeMetadefender: Detection: 68%Perma Link
          Source: PasswordStealer.NET.exeReversingLabs: Detection: 89%
          Antivirus / Scanner detection for submitted sample
          Source: PasswordStealer.NET.exeAvira: detected
          Antivirus detection for URL or domain
          Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for domain / URL
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 7%Perma Link
          Machine Learning detection for sample
          Source: PasswordStealer.NET.exeJoe Sandbox ML: detected
          Source: 12.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
          Source: 12.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PasswordStealer.NET.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

          Networking

          barindex
          May check the online IP address of the machine
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS traffic detected: query: 202.200.1.0.in-addr.arpa replaycode: Name error (3)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com4
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: AppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: unknownDNS traffic detected: queries for: 202.200.1.0.in-addr.arpa

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          .NET source code contains very large array initializations
          Source: PasswordStealer.NET.exe, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/n.csLarge array initialization: 6Wy4+mFyuOniOCYaz2tMfNTAH6fLHHvOe6rFoL6mBEGBA+JQeW+OE43NDTbDet0jxK66jLQdy9+63uCl8t9Z2ovt3XbgJgEJa+Lwh6UISwbx9UugZ+Vibz02dZp5gjkAM0T+5fnFa6SiuzFOJgYf: array initializer size 99840
          Source: PasswordStealer.NET.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
          Source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A46281_2_009A4628
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009A45501_2_009A4550
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B81_2_013FD9B8
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FD9B31_2_013FD9B3
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FBA9C1_2_013FBA9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F54B812_2_070F54B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F04D812_2_070F04D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F206812_2_070F2068
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3F5312_2_070F3F53
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F9F9812_2_070F9F98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3EFB12_2_070F3EFB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F6C2A12_2_070F6C2A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0C4812_2_070F0C48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F993812_2_070F9938
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F451912_2_070F4519
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F452812_2_070F4528
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F052712_2_070F0527
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F853012_2_070F8530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F854012_2_070F8540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F356812_2_070F3568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F356312_2_070F3563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F056212_2_070F0562
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F05A612_2_070F05A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F05ED12_2_070F05ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F416812_2_070F4168
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F417812_2_070F4178
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F204F12_2_070F204F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F3F3312_2_070F3F33
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F6E1012_2_070F6E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F8E4012_2_070F8E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F0C3712_2_070F0C37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F992812_2_070F9928
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F29E912_2_070F29E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F29F812_2_070F29F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F588012_2_070F5880
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F589012_2_070F5890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F48D012_2_070F48D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F48E012_2_070F48E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7FBD012_2_09F7FBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F74C0012_2_09F74C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7431012_2_09F74310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F762B812_2_09F762B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7FBC012_2_09F7FBC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F78B7012_2_09F78B70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F78B6012_2_09F78B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F73FC012_2_09F73FC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7909012_2_09F79090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7908112_2_09F79081
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7C2C812_2_09F7C2C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F7C2B812_2_09F7C2B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_0A270B9012_2_0A270B90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_0A270B8012_2_0A270B80
          Source: PasswordStealer.NET.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: PasswordStealer.NET.exeBinary or memory string: OriginalFilename vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365348911.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365877906.0000000002E31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamerobo.dll4 vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exeBinary or memory string: OriginalFilename007.exeH vs PasswordStealer.NET.exe
          Source: PasswordStealer.NET.exeVirustotal: Detection: 85%
          Source: PasswordStealer.NET.exeMetadefender: Detection: 68%
          Source: PasswordStealer.NET.exeReversingLabs: Detection: 89%
          Source: PasswordStealer.NET.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PasswordStealer.NET.exe "C:\Users\user\Desktop\PasswordStealer.NET.exe"
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@2/0
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\3b4a4cc4-c9ba-470a-96db-668b03cd472a
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PasswordStealer.NET.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: PasswordStealer.NET.exeStatic file information: File size 1272320 > 1048576
          Source: PasswordStealer.NET.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PasswordStealer.NET.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x135e00
          Source: PasswordStealer.NET.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: robo.pdb source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.365829610.0000000002D00000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: PasswordStealer.NET.exe, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.PasswordStealer.NET.exe.9a0000.0.unpack, y/h.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B1E18 push eax; iretd 1_2_009B1E2F
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B15A8 push es; retf 1_2_009B15A9
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_009B1D51 push C661B22Dh; iretd 1_2_009B1D56
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F41C3 push esi; ret 1_2_013F41CA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F41C0 push esi; ret 1_2_013F41C2
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F403B push ebp; ret 1_2_013F4042
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4020 push ebp; ret 1_2_013F403A
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4073 push ebp; ret 1_2_013F407A
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F40F3 push esi; ret 1_2_013F40FA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F68A9 pushfd ; ret 1_2_013F68AA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F4BD3 pushad ; ret 1_2_013F4BDA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013FFE60 push eax; iretd 1_2_013FFE6E
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F3E41 push edx; ret 1_2_013F3E42
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeCode function: 1_2_013F3EE1 push ebp; ret 1_2_013F3EE2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F326C push ss; retf 12_2_070F326D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_070F32F5 push ss; retf 12_2_070F32F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 12_2_09F735E0 pushad ; iretd 12_2_09F735E1

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeFile opened: C:\Users\user\Desktop\PasswordStealer.NET.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exe TID: 4884Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5732Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3248Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6452Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: AppLaunch.exe, 0000000C.00000002.376954301.000000000A080000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 12.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 12.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Users\user\Desktop\PasswordStealer.NET.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PasswordStealer.NET.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected MailPassView
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8b2db5a.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bc0834a.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bc0834a.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8b2db5a.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Yara detected WebBrowserPassView password recovery tool
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5b55.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.3.AppLaunch.exe.8ad5810.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.bbb0345.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.41ccd20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.40b87bc.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3edc33c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PasswordStealer.NET.exe.3e39510.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PasswordStealer.NET.exe PID: 6388, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6788, type: MEMORYSTR
          Detected HawkEye Rat
          Source: PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
          Source: AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts111
          Windows Management Instrumentation          		Path Interception11
          Process Injection          		1
          Masquerading          		1
          Input Capture          		211
          Security Software Discovery          		Remote Services1
          Input Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Native API          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory131
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol11
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Remote Access Software          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Remote System Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
          Process Injection          		NTDS1
          System Network Configuration Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Hidden Files and Directories          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PasswordStealer.NET.exe85%VirustotalBrowse
          PasswordStealer.NET.exe69%MetadefenderBrowse
          PasswordStealer.NET.exe90%ReversingLabsByteCode-MSIL.Spyware.Remcos
          PasswordStealer.NET.exe100%AviraHEUR/AGEN.1131977
          PasswordStealer.NET.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          12.0.AppLaunch.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          1.0.PasswordStealer.NET.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1131977Download File
          12.2.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
          12.0.AppLaunch.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
          1.2.PasswordStealer.NET.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1131977Download File

          Domains

          SourceDetectionScannerLabelLink
          202.200.1.0.in-addr.arpa0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://a.pomf.cat/4%VirustotalBrowse
          https://a.pomf.cat/100%Avira URL Cloudphishing
          http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
          http://pomf.cat/upload.php8%VirustotalBrowse
          http://pomf.cat/upload.php0%Avira URL Cloudsafe
          http://bot.whatismyipaddress.com40%Avira URL Cloudsafe
          http://pomf.cat/upload.phpCContent-Disposition:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          202.200.1.0.in-addr.arpa
          		unknown
          		unknownfalseunknown
          bot.whatismyipaddress.com
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://a.pomf.cat/AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
            • 4%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		unknown
            http://pomf.cat/upload.php&https://a.pomf.cat/PasswordStealer.NET.exe, 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, PasswordStealer.NET.exe, 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://bot.whatismyipaddress.comAppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pomf.cat/upload.phpAppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
              • 8%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nirsoft.net/AppLaunch.exe, 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                		high
                http://bot.whatismyipaddress.com4AppLaunch.exe, 0000000C.00000002.376545778.0000000007322000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000C.00000002.376516668.00000000072DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://bot.whatismyipaddress.com/AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pomf.cat/upload.phpCContent-Disposition:AppLaunch.exe, 0000000C.00000002.376459327.0000000007273000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:576204
                    Start date:22.02.2022
                    Start time:09:21:39
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 36s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:PasswordStealer.NET.bin (renamed file extension from bin to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/3@2/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 0.9% (good quality ratio 0.6%)
                    • Quality average: 42%
                    • Quality standard deviation: 38.6%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 48
                    • Number of non-executed functions: 5
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.211.4.86
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:22:57API Interceptor1x Sleep call for process: PasswordStealer.NET.exe modified
                    09:23:12API Interceptor2x Sleep call for process: AppLaunch.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1220
                    Entropy (8bit):5.354495486938689
                    Encrypted:false
                    SSDEEP:24:MLUE4Ko84qpE4Ks2vsXE4G1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHKov2HKXCHG1qHiYHKhQnoPtHoxHhA
                    MD5:5B6EF9C36F177ED0124E042B9579BE85
                    SHA1:1C8AFB1CA723ADC174C853F46CE2FF8748E08762
                    SHA-256:9905271FEFA625D10CC63C7EF369FB800B66C2FBEA20BED2136365007C7362BF
                    SHA-512:6CA97E07E2EFFEAC30F22C9FC493010C1A161DDC2D4999814EF14DC70DC223F8419363EC1BFA97D8EA5267CC3249CDEEE3DE04F3517F0C00B9B45A57D50DD545
                    Malicious:false
                    Reputation:low
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.C

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PasswordStealer.NET.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\PasswordStealer.NET.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.355304211458859
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                    C:\Users\user\AppData\Local\Temp\5c9e99f0-aed9-08b2-ba3c-8df8e171ab02

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):88
                    Entropy (8bit):5.38967064718937
                    Encrypted:false
                    SSDEEP:3:Gulft/nKhyDrV/2TOA4LiUQF5DvDRI+:DtfQQrV/2TOA4LgF5D1I+
                    MD5:BB53A1C0B81C866F8BE64DD5532967B8
                    SHA1:716BC31FB2FF50F8B8EAD2A4878B95F41AF6F9AF
                    SHA-256:DE572CC1E0A16905FF7C62D63B20668BD8BEA5527FFD2F196A001EFB7FB5926E
                    SHA-512:98CC3A8A8FB57E8339B9AE0BD436A4F756E6378E92F97B569231A09C76345254994CBC70AFE779F9C963AAA32F114B985224C5AD2E79FDE09C20942C302D6D82
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:6C+hP5HoTpHrvlsqBHBHoAd4oFxWfNp+z/Sv5IQWNOfLdMd/OERNbN8eWAq7MV256h0Abi93JHh7y5stlf4OVA==

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):6.299563056438947
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:PasswordStealer.NET.exe
                    File size:1272320
                    MD5:fb2ca93f987313108abdd4a6d687783a
                    SHA1:0783b8327a88aff87c627497d4333fd778da59be
                    SHA256:b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
                    SHA512:6fc15ca06da66661c733ed4aeeff40a11791739ab104e607262b55e217658277246cfec7b2dd586bbd58067bf1a67a4fd7e9462ffe5f591fc7a2ee1cfefcab25
                    SSDEEP:12288:KKn7XIK6rFQuoa+xhXy7CNI7TMq9IOvK2TaSJbeWBSuIGZi0k:K6XIFxxh+xhUCCTMyIOv52DWBQGI
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................^...........}... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x537d2e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0xF0A0ADD [Fri Dec 30 07:53:01 1977 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x137cdc0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x644.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x135d340x135e00False0.526958482503data6.30284310521IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0x1380000x6440x800False0.35400390625data4.61936656922IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x13a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x1380a00x3b8COM executable for DOS
                    RT_MANIFEST0x1384580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright 2018 Granite Construction Incorporated
                    Assembly Version0.0.0.0
                    InternalName007.exe
                    FileVersion1.13.31.2
                    CompanyNameGranite Construction Incorporated
                    Commentsoyelodozotecepitucazad
                    ProductNameIIS request monitor
                    ProductVersion1.13.31.2
                    FileDescriptionIIS request monitor
                    OriginalFilename007.exe

                    Network Behavior

                    Network Port Distribution

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 22, 2022 09:23:16.302151918 CET6078453192.168.2.38.8.8.8
                    Feb 22, 2022 09:23:16.318984985 CET53607848.8.8.8192.168.2.3
                    Feb 22, 2022 09:23:16.601305962 CET5114353192.168.2.38.8.8.8
                    Feb 22, 2022 09:23:16.619818926 CET53511438.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Feb 22, 2022 09:23:16.302151918 CET192.168.2.38.8.8.80x9a04Standard query (0)202.200.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                    Feb 22, 2022 09:23:16.601305962 CET192.168.2.38.8.8.80xdcebStandard query (0)bot.whatismyipaddress.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Feb 22, 2022 09:23:16.318984985 CET8.8.8.8192.168.2.30x9a04Name error (3)202.200.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:1
                    Start time:09:22:29
                    Start date:22/02/2022
                    Path:C:\Users\user\Desktop\PasswordStealer.NET.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\PasswordStealer.NET.exe"
                    Imagebase:0x9a0000
                    File size:1272320 bytes
                    MD5 hash:FB2CA93F987313108ABDD4A6D687783A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.367424927.00000000041CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.367080602.000000000402E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.366769959.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low

                    General

                    Target ID:12
                    Start time:09:23:03
                    Start date:22/02/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    Imagebase:0xf20000
                    File size:98912 bytes
                    MD5 hash:6807F903AC06FF7E1670181378690B22
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.357553921.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.359164021.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.360604963.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000003.365718938.0000000008AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.376052616.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000000.360998857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.377094587.000000000BBB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:7.6%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:86
                      Total number of Limit Nodes:6
                      execution_graph 13851 13ff138 13852 13ff1a0 CreateWindowExW 13851->13852 13854 13ff25c 13852->13854 13855 13f6d58 13856 13f6d86 13855->13856 13859 13f69ac 13856->13859 13858 13f6da6 13860 13f69b7 13859->13860 13861 13f74ae 13860->13861 13864 13f767b 13860->13864 13870 13f7688 13860->13870 13861->13858 13865 13f76a9 13864->13865 13866 13f76cd 13865->13866 13876 13f789b 13865->13876 13883 13f7833 13865->13883 13887 13f7838 13865->13887 13866->13861 13872 13f76a9 13870->13872 13871 13f76cd 13871->13861 13872->13871 13873 13f789b 2 API calls 13872->13873 13874 13f7838 2 API calls 13872->13874 13875 13f7833 2 API calls 13872->13875 13873->13871 13874->13871 13875->13871 13877 13f786e 13876->13877 13880 13f789f 13876->13880 13878 13f787e 13877->13878 13891 13f7170 13877->13891 13878->13866 13882 13f78f0 13880->13882 13895 13f71a4 13880->13895 13882->13882 13884 13f7845 13883->13884 13885 13f787e 13884->13885 13886 13f7170 2 API calls 13884->13886 13885->13866 13886->13885 13890 13f7845 13887->13890 13888 13f787e 13888->13866 13889 13f7170 2 API calls 13889->13888 13890->13888 13890->13889 13892 13f717b 13891->13892 13893 13f71a4 2 API calls 13892->13893 13894 13f78f0 13892->13894 13893->13894 13896 13f71af 13895->13896 13902 13f71b4 13896->13902 13898 13f7998 13898->13882 13901 13f795f 13906 13fc9b3 13901->13906 13912 13fc9b8 13901->13912 13903 13f71bf 13902->13903 13904 13f808a 13903->13904 13905 13f7688 2 API calls 13903->13905 13904->13901 13905->13904 13908 13fc9e9 13906->13908 13909 13fca35 13906->13909 13907 13fc9f5 13907->13898 13908->13907 13918 13fcc1f 13908->13918 13921 13fcc20 13908->13921 13909->13898 13914 13fc9e9 13912->13914 13915 13fca35 13912->13915 13913 13fc9f5 13913->13898 13914->13913 13916 13fcc1f 2 API calls 13914->13916 13917 13fcc20 2 API calls 13914->13917 13915->13898 13916->13915 13917->13915 13919 13fcc2a 13918->13919 13924 13fcc6b 13918->13924 13919->13909 13923 13fcc6b 2 API calls 13921->13923 13922 13fcc2a 13922->13909 13923->13922 13925 13fcc83 13924->13925 13926 13fcc9b 13925->13926 13932 13fcef8 13925->13932 13936 13fcef7 13925->13936 13926->13919 13927 13fcc93 13927->13926 13928 13fce98 GetModuleHandleW 13927->13928 13929 13fcec5 13928->13929 13929->13919 13933 13fcf0c 13932->13933 13934 13fcf31 13933->13934 13940 13fbc28 13933->13940 13934->13927 13937 13fcf0c 13936->13937 13938 13fcf31 13937->13938 13939 13fbc28 LoadLibraryExW 13937->13939 13938->13927 13939->13938 13941 13fd0d8 LoadLibraryExW 13940->13941 13943 13fd151 13941->13943 13943->13934 13944 13f63a8 DuplicateHandle 13945 13f643e 13944->13945 13946 13f6180 GetCurrentProcess 13947 13f61fa GetCurrentThread 13946->13947 13948 13f61f3 13946->13948 13949 13f6237 GetCurrentProcess 13947->13949 13950 13f6230 13947->13950 13948->13947 13952 13f626d 13949->13952 13950->13949 13951 13f6295 GetCurrentThreadId 13953 13f62c6 13951->13953 13952->13951 13954 13ff380 SetWindowLongW 13955 13ff3ec 13954->13955

                      Executed Functions

                      Function 013F617B Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 013F61E0
                      • GetCurrentThread.KERNEL32 ref: 013F621D
                      • GetCurrentProcess.KERNEL32 ref: 013F625A
                      • GetCurrentThreadId.KERNEL32 ref: 013F62B3
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 93ee57a15fcee740169e4d39961f8c2ba609fe4c064a1e8253ce728c8bfd6f36
                      • Instruction ID: 26797440dfc27e7693d4425c658c1e2a8d66b4b624b79b57c3e5a11799033a5b
                      • Opcode Fuzzy Hash: 93ee57a15fcee740169e4d39961f8c2ba609fe4c064a1e8253ce728c8bfd6f36
                      • Instruction Fuzzy Hash: D45165B4D006498FDB54CFA9DA49BDEBBF0AF88318F24855DE209A7350E7359848CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013F6180 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 013F61E0
                      • GetCurrentThread.KERNEL32 ref: 013F621D
                      • GetCurrentProcess.KERNEL32 ref: 013F625A
                      • GetCurrentThreadId.KERNEL32 ref: 013F62B3
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 946568652bf95a5056799f2327b7a95047c843d6d088a6f47aaa96f0c614b4df
                      • Instruction ID: a3b88f2978d84c7900a5f7a056bdb0a50ee9db2f4aee62b01348eb833cc26696
                      • Opcode Fuzzy Hash: 946568652bf95a5056799f2327b7a95047c843d6d088a6f47aaa96f0c614b4df
                      • Instruction Fuzzy Hash: 8A5164B4E006098FDB54CFA9DA48BDEBBF0AF88318F24855DE209A7350D7356844CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FCC6B Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013FCEB6
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: acb3094e9e2eea3f1d3e9bea07af28fdccf815f783f75c870284b4838c788850
                      • Instruction ID: a71c0443a1e772f7bef57e0ccf600c46996ef4b0bb4f36f885ad74964043c772
                      • Opcode Fuzzy Hash: acb3094e9e2eea3f1d3e9bea07af28fdccf815f783f75c870284b4838c788850
                      • Instruction Fuzzy Hash: 72713A70A00B098FDB64DF69D154B9ABBF1BF88208F04892DE686D7B50D775E809CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FF12C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 97 13ff12c-13ff19e 98 13ff1a9-13ff1b0 97->98 99 13ff1a0-13ff1a6 97->99 100 13ff1bb-13ff1f3 98->100 101 13ff1b2-13ff1b8 98->101 99->98 102 13ff1fb-13ff25a CreateWindowExW 100->102 101->100 103 13ff25c-13ff262 102->103 104 13ff263-13ff29b 102->104 103->104 108 13ff29d-13ff2a0 104->108 109 13ff2a8 104->109 108->109 110 13ff2a9 109->110 110->110
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013FF24A
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 43b7de4953b8854cef7a8617026b11bf8d29ab2018001f40015b79b241d4f888
                      • Instruction ID: cc118b1840d35862756eb3dbab6174ac99f0a19355af2ed8e984ca1b1681091f
                      • Opcode Fuzzy Hash: 43b7de4953b8854cef7a8617026b11bf8d29ab2018001f40015b79b241d4f888
                      • Instruction Fuzzy Hash: E251D2B5D00308AFDB14CF99C884ADEBFB5BF88314F24822EE915AB210D7759845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FF138 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 111 13ff138-13ff19e 112 13ff1a9-13ff1b0 111->112 113 13ff1a0-13ff1a6 111->113 114 13ff1bb-13ff25a CreateWindowExW 112->114 115 13ff1b2-13ff1b8 112->115 113->112 117 13ff25c-13ff262 114->117 118 13ff263-13ff29b 114->118 115->114 117->118 122 13ff29d-13ff2a0 118->122 123 13ff2a8 118->123 122->123 124 13ff2a9 123->124 124->124
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013FF24A
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 62cd4f6b8f36683ef92da2392de7c16407fda07e1fe33ba6daf8174d15d32f9a
                      • Instruction ID: caa8c904de60023d132d376b733727d44a68b91f34a7af1e50b16460ee0d6b8d
                      • Opcode Fuzzy Hash: 62cd4f6b8f36683ef92da2392de7c16407fda07e1fe33ba6daf8174d15d32f9a
                      • Instruction Fuzzy Hash: DB41B0B5D00309AFDB14CF99C984ADEBBB5BF88314F24822AE919AB210D7759845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013F63A3 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 125 13f63a3-13f643c DuplicateHandle 126 13f643e-13f6444 125->126 127 13f6445-13f6462 125->127 126->127
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013F642F
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: d2e2bb4348cb1e15e5c8fb47bded531762d0110ce85d36615832e61be7dc4748
                      • Instruction ID: 17912a84402fd1a00abdf3c109647189946483b2b651e2f3d070c8cd20d3369b
                      • Opcode Fuzzy Hash: d2e2bb4348cb1e15e5c8fb47bded531762d0110ce85d36615832e61be7dc4748
                      • Instruction Fuzzy Hash: 95210EB5D00248AFDB10CFA9D985AEEBBF5EF48324F14801AE914B7310D378A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013F63A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 130 13f63a8-13f643c DuplicateHandle 131 13f643e-13f6444 130->131 132 13f6445-13f6462 130->132 131->132
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013F642F
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 0162b96f8ca33924c1166618b67a3a6e34b5e4d9047a026ada0310d2ec437ede
                      • Instruction ID: 6d8aab6e97b68a77123c2304fa5d379684026162646c6ce821466463fb4f5187
                      • Opcode Fuzzy Hash: 0162b96f8ca33924c1166618b67a3a6e34b5e4d9047a026ada0310d2ec437ede
                      • Instruction Fuzzy Hash: CC21C2B59002599FDB10CFA9D985ADEBBF9EB48324F14841AE914B7310D378A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FBC28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 135 13fbc28-13fd118 137 13fd11a-13fd11d 135->137 138 13fd120-13fd14f LoadLibraryExW 135->138 137->138 139 13fd158-13fd175 138->139 140 13fd151-13fd157 138->140 140->139
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013FCF31,00000800,00000000,00000000), ref: 013FD142
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: cce882d6a1a6c86513d5dddbd1ba707907a4c3f9edcf89aa1af3ceb68c63ca65
                      • Instruction ID: e93e056f0d02d11d32c38aa2d41c9337f53688562bca06e7c927e29137ba416d
                      • Opcode Fuzzy Hash: cce882d6a1a6c86513d5dddbd1ba707907a4c3f9edcf89aa1af3ceb68c63ca65
                      • Instruction Fuzzy Hash: A21147B59002498FDB10CF9AC848ADEFBF4EB88314F10841EE615A7700C375A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FD0D0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 143 13fd0d0-13fd118 145 13fd11a-13fd11d 143->145 146 13fd120-13fd14f LoadLibraryExW 143->146 145->146 147 13fd158-13fd175 146->147 148 13fd151-13fd157 146->148 148->147
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013FCF31,00000800,00000000,00000000), ref: 013FD142
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 51365e9b0681bc9e47f2e31e690d96ad1e31a35c4823b27af0fdef5953122402
                      • Instruction ID: c8d44840c293f91dbd48f4c05ce147905e9a5c1408f411fc2b378fa2e4e81242
                      • Opcode Fuzzy Hash: 51365e9b0681bc9e47f2e31e690d96ad1e31a35c4823b27af0fdef5953122402
                      • Instruction Fuzzy Hash: 651114B6D042498FDB10CF9AD848AEEFBF4AB98314F14851ED519A7600C379A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FCE50 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 151 13fce50-13fce90 152 13fce98-13fcec3 GetModuleHandleW 151->152 153 13fce92-13fce95 151->153 154 13fcecc-13fcee0 152->154 155 13fcec5-13fcecb 152->155 153->152 155->154
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 013FCEB6
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: a7d6ad5a448d52c82c1c1182139d6248e80c0fe180d43205aa8e1a1293d78e85
                      • Instruction ID: d638355f218a4302727c16bbfde2edd6880bdac5d5c1b1bb0059e7ab873a7b23
                      • Opcode Fuzzy Hash: a7d6ad5a448d52c82c1c1182139d6248e80c0fe180d43205aa8e1a1293d78e85
                      • Instruction Fuzzy Hash: 11110FB6C002498FDB20CF9AC444ADEFBF4AB88328F14851AD529B7600D379A549CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FF378 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 157 13ff378-13ff3ea SetWindowLongW 158 13ff3ec-13ff3f2 157->158 159 13ff3f3-13ff407 157->159 158->159
                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 013FF3DD
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 9a2ddf69e71835435b47dd93b1e69415417750593dace62abb8e644f616615d3
                      • Instruction ID: e2671902eeb073ea14c2ac4210e352e9cf0bb266d12739f3c4dd6d16fb9631e6
                      • Opcode Fuzzy Hash: 9a2ddf69e71835435b47dd93b1e69415417750593dace62abb8e644f616615d3
                      • Instruction Fuzzy Hash: 9A11F2B58002498FDB10CF99D585BEEFBF8FB88328F24851AD955A7600D374A948CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FF380 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 162 13ff380-13ff3ea SetWindowLongW 163 13ff3ec-13ff3f2 162->163 164 13ff3f3-13ff407 162->164 163->164
                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 013FF3DD
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 99c72422620179205066835b4963994d94ffeb9008a42ad2cd162ff7a7247b69
                      • Instruction ID: c600596b05f7644490990bf427d52255bb690b3fe63053e2166f2293a042ae5f
                      • Opcode Fuzzy Hash: 99c72422620179205066835b4963994d94ffeb9008a42ad2cd162ff7a7247b69
                      • Instruction Fuzzy Hash: C501D0B48002499FDB10CF9AC589B9EBBF8EB48318F248509E954A7340D3B8A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0109D3C8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365151384.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_109d000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dbee1fc978324c57e49a3e8422ae51afc65d9ae53fd429872bd02651ced7a3cb
                      • Instruction ID: ee43edfae5da9b303f60e8450057175c10d1ccbb87758711869e221e841671c8
                      • Opcode Fuzzy Hash: dbee1fc978324c57e49a3e8422ae51afc65d9ae53fd429872bd02651ced7a3cb
                      • Instruction Fuzzy Hash: D52175B1544204DFDF01DF44D9C0F6ABFA5FB84324F24C5A8E9450B206C736E806D7A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 010AD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365181782.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_10ad000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf27572cd52e14f0343c84739302eae68cbf12533b4df2dcc52ec2e98c4908fb
                      • Instruction ID: eb182c915cff3e7f9bb109a022e2bd1a4f55a980d9ecb42bf66d6b606454e485
                      • Opcode Fuzzy Hash: bf27572cd52e14f0343c84739302eae68cbf12533b4df2dcc52ec2e98c4908fb
                      • Instruction Fuzzy Hash: 00214570644204DFCB10CF94D9C0F16BBA5FB84354F64C5A9E9894B642C336D806CB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 010AD006 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365181782.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_10ad000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85e694ecb43452a7a1ea5bf673915c9ac8dd1304527a8a4cd1efb0d5c3e7fa2e
                      • Instruction ID: dc80bd2be544b2ac7fe8b96ddeef24dd2aa72918d959c3a4479a0c904ad94702
                      • Opcode Fuzzy Hash: 85e694ecb43452a7a1ea5bf673915c9ac8dd1304527a8a4cd1efb0d5c3e7fa2e
                      • Instruction Fuzzy Hash: 6A2180754483809FCB02CF64D994B11BFB1EB46214F28C5DAD8858F667C33A985ACB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0109D3C3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365151384.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_109d000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction ID: 0be4b653bccfce6fe8b330cdda2cbefb24901d1e4c5a9179a73573baec311281
                      • Opcode Fuzzy Hash: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction Fuzzy Hash: 8C11AF76444280CFDF12CF54D5D4B56BFA2FB84324F24C6A9D8490B616C336E45ADBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0109D789 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365151384.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_109d000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c45d992c0af8f6aef82a90aff8900100c8547f57c09aabf3b9e5099bc2d0ec0d
                      • Instruction ID: f14dd3e27b228e783325219b410f4b376e668298797f44692fa1034a2fd95537
                      • Opcode Fuzzy Hash: c45d992c0af8f6aef82a90aff8900100c8547f57c09aabf3b9e5099bc2d0ec0d
                      • Instruction Fuzzy Hash: 8A01F7710483C4AAEB114B69CD84B6EFFDCFF41224F18849AEA445B246E3799844D7B1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0109D788 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365151384.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_109d000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 361b27337b5ce32e5caccc1d759b6e73101fc827c7480528c90108f1c5b2ba69
                      • Instruction ID: ee508ed74d08e509e8358e94a127bd0e48b69f244f0aa22d1997c251984af5cd
                      • Opcode Fuzzy Hash: 361b27337b5ce32e5caccc1d759b6e73101fc827c7480528c90108f1c5b2ba69
                      • Instruction Fuzzy Hash: 71F0C271404384AEEB218F1ACD84B66FFD8EF41334F18C49AEE485B286D3799844DBB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 009A4550 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                      • Associated: 00000001.00000002.364678745.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_9a0000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID: -$.
                      • API String ID: 0-3807043784
                      • Opcode ID: 55ee728f48b43f5d56f0441c7a99d89f5d659f8653ed0f00356b5beab30f9404
                      • Instruction ID: 2c5af20d2f243ed888c559a4d959711757f720c5b3017f04be2c9c35fd25bf88
                      • Opcode Fuzzy Hash: 55ee728f48b43f5d56f0441c7a99d89f5d659f8653ed0f00356b5beab30f9404
                      • Instruction Fuzzy Hash: 04C1E0A284E7C15FD3038B744CBA1817FB0AE6325471E4ADBC8C1CF4A3E158999AD763
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 009A4628 Relevance: 2.7, Strings: 2, Instructions: 241COMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 80%
                      			E009A4628(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi) {
				signed char _t61;
				signed char _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				signed char _t76;
				signed int _t77;
				signed char _t79;
				signed char _t80;
				signed int _t82;
				signed int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t87;
				signed char _t88;
				signed int* _t90;
				signed char _t91;
				intOrPtr* _t92;
				void* _t97;
				signed int _t100;
				intOrPtr* _t101;
				signed char* _t105;
				signed char* _t106;
				void* _t112;
				intOrPtr* _t114;
				signed int _t116;
				void* _t136;

				_t112 = __esi;
				_t108 = __edi;
				asm("lahf");
				_t97 = __ecx + 1;
				 *__eax =  *__eax + __eax;
				asm("int3");
				_t105 = __edx + 1;
				 *__eax =  *__eax + __eax;
				_t61 =  *0xcc000042;
				_t90 = __ebx + 1;
				 *_t61 =  *_t61 + _t61;
				 *((intOrPtr*)(_t116 + 0x44)) =  *((intOrPtr*)(_t116 + 0x44)) + _t97;
				 *_t61 =  *_t61 + _t61;
				 *_t90 =  *_t90 & _t61;
				_t90[0x10] = _t90[0x10] + _t97;
				 *_t61 =  *_t61 + _t61;
				if( *_t61 <= 0) {
					L8:
					 *_t61 =  *_t61 + _t61;
					_t62 = _t61 & 0x00000047;
					 *_t62 =  *_t62 + _t62;
					_t108 = _t108 + 1 - 1 + 1;
					 *_t62 =  *_t62 + _t62;
					asm("into");
					 *_t62 =  *_t62 + _t62;
					asm("stc");
					_t114 = _t112 + 2;
					 *_t62 =  *_t62 + _t62;
					_t63 = _t62 - 1;
					 *_t63 =  *_t63 + _t63;
					_push(_t97);
					_t64 = _t63 - 1;
					 *_t64 =  *_t64 + _t64;
					 *_t105 =  *_t105 - _t97;
					 *_t64 =  *_t64 + _t64;
					asm("ror byte [eax], 1");
					 *((intOrPtr*)(_t116 + 0x26000048)) =  *((intOrPtr*)(_t116 + 0x26000048)) + _t64;
					_t100 = _t97 + _t90;
					 *_t64 =  *_t64 + _t64;
					asm("sti");
					_t65 = _t64 - 1;
					 *_t65 =  *_t65 + _t65;
					_t136 =  *_t65;
					goto L9;
				} else {
					 *_t61 =  *_t61 + _t61;
					_t88 =  *0x78000043;
					 *_t88 =  *_t88 + _t88;
					 *0x24000044 = _t88;
					_t114 = __esi + 1;
					 *_t88 =  *_t88 + _t88;
					_t100 = _t97 + _t90;
					 *_t88 =  *_t88 + _t88;
					asm("into");
					 *_t88 =  *_t88 + _t88;
					 *0x78000045 = _t88;
					 *_t88 =  *_t88 + _t88;
					_t116 = _t116 + 3 - 1 + 1;
					 *_t88 =  *_t88 + _t88;
					_t65 = _t88 &  *_t116;
					_t90 = _t90 + _t105;
					 *_t65 =  *_t65 + _t65;
					if( *_t65 != 0) {
						L9:
						if(_t136 < 0) {
							goto L13;
						} else {
							 *_t65 =  *_t65 + _t65;
							_push(_t100);
							_t100 = _t100 - 1;
							 *_t65 =  *_t65 + _t65;
							asm("ror byte [ecx], cl");
							 *((intOrPtr*)(_t108 - 0x2bffffb7)) =  *((intOrPtr*)(_t108 - 0x2bffffb7)) + _t65;
							goto L11;
						}
					} else {
						 *_t65 =  *_t65 + _t65;
						_t114 = _t114 + 1;
						 *_t65 =  *_t65 + _t65;
						asm("rol byte [edi], 1");
						_t90 = _t90 + _t90;
						_t108 = __edi - 1 + 1;
						 *_t65 =  *_t65 + _t65;
						if( *_t65 != 0) {
							L11:
							_t90 = _t90 - 1;
							 *_t65 =  *_t65 + _t65;
							 *_t90 =  *_t90 - 1;
							 *((intOrPtr*)(_t105 + _t100 * 2)) =  *((intOrPtr*)(_t105 + _t100 * 2)) + _t90;
							 *((intOrPtr*)(_t108 - 0x2dffffb6)) =  *((intOrPtr*)(_t108 - 0x2dffffb6)) + _t65;
							 *_t65 =  *_t65 + _t65;
							asm("std");
							_t105 = _t105;
							 *_t65 =  *_t65 + _t65;
							 *_t90 =  *_t90 - _t100;
							_t90[0x12] =  &(_t105[_t90[0x12]]);
							 *_t65 =  *_t65 + _t65;
							if( *_t65 > 0) {
								 *_t65 =  *_t65 + _t65;
								asm("daa");
								 *_t65 =  *_t65 + _t65;
								 *_t65 =  *_t65 + _t65;
								_t105 = 0x27;
								 *_t65 =  *_t65 + _t65;
								asm("loope 0x29");
								 *_t65 =  *_t65 + _t65;
								_t65 = _t65 | 0x00000028;
								 *_t65 =  *_t65 + _t65;
								L13:
								 *_t108 =  *_t108 + _t105;
								 *_t65 =  *_t65 - _t65;
								_t105[0x28] = _t105[0x28] + _t65;
								 *_t65 =  *_t65 + _t65;
								_t116 = _t65;
								 *_t65 =  *_t65 + _t65;
								 *0xe3000028 =  *0xe3000028 - 0xe3000028;
								 *((intOrPtr*)(_t90 + _t116)) =  *((intOrPtr*)(_t90 + _t116)) + 0xe3000028;
								 *((intOrPtr*)(_t108 + 0xe00002b)) =  *((intOrPtr*)(_t108 + 0xe00002b)) + _t100;
								 *_t100 =  *_t100 + _t90;
								 *0xe3000028 =  *0xe3000028 + _t105;
								 *_t90 = _t90 +  *_t90;
								_t65 = 0xe3000028 -  *0xe3000028 -  *((intOrPtr*)(0xe3000028 -  *0xe3000028));
								 *((intOrPtr*)(_t105 - 0x1affffd5)) =  *((intOrPtr*)(_t105 - 0x1affffd5)) + _t90;
							}
						} else {
							 *_t65 =  *_t65 + _t65;
							asm("movsd");
							goto L8;
						}
					}
				}
				_t70 = _t65 -  *_t65;
				 *((intOrPtr*)(_t114 + 0x2c)) =  *((intOrPtr*)(_t114 + 0x2c)) + _t70;
				 *_t70 =  *_t70 + _t70;
				_t101 = _t70;
				_t72 = _t100;
				_t105[0x29] = _t105[0x29] + _t72;
				 *_t72 =  *_t72 + _t72;
				asm("aaa");
				 *_t72 =  *_t72 - _t72;
				 *((intOrPtr*)(_t72 - 0x72ffffd7)) =  *((intOrPtr*)(_t72 - 0x72ffffd7)) + _t90;
				 *_t72 =  *_t72 - _t72;
				 *_t114 =  *_t114 + _t101;
				_t73 = _t72 -  *_t72;
				_t91 = _t90 + _t73;
				 *_t73 =  *_t73 - _t73;
				_t105[_t116] = _t105[_t116] + _t73;
				 *_t101 =  *_t101 + _t91;
				 *((intOrPtr*)(_t105 - 0x70ffffd6)) =  *((intOrPtr*)(_t105 - 0x70ffffd6)) + _t91;
				_t75 = _t73 -  *_t73 -  *((intOrPtr*)(_t73 -  *_t73));
				 *((intOrPtr*)(_t75 + 0x2f)) =  *((intOrPtr*)(_t75 + 0x2f)) + _t101;
				 *_t75 =  *_t75 + _t75;
				_t76 = _t91;
				_t92 = _t75;
				asm("das");
				 *_t76 =  *_t76 + _t76;
				asm("das");
				 *_t76 =  *_t76 + _t76;
				 *[cs:eax] =  *[cs:eax] + _t76;
				asm("adc ch, [edi]");
				 *_t76 =  *_t76 + _t76;
				 *_t76 =  *_t76 ^ _t76;
				 *_t108 =  *_t108 + _t92;
				 *_t76 =  *_t76 ^ _t76;
				 *0xFFFFFFFFE900005C =  *((intOrPtr*)(0xffffffffe900005c)) + _t76;
				 *_t76 =  *_t76 + _t76;
				 *_t76 =  *_t76 + _t76;
				asm("in eax, 0x2c");
				 *_t76 =  *_t76 + _t76;
				asm("adc ch, [esi]");
				 *_t76 =  *_t76 + _t76;
				asm("out 0x2d, eax");
				 *_t76 =  *_t76 + _t76;
				_t77 = _t76 - 0x2e680000;
				 *_t77 =  *_t77 + _t77;
				 *((intOrPtr*)(_t108 + 0x16000033)) =  *((intOrPtr*)(_t108 + 0x16000033)) + _t105;
				_t79 = _t77 ^  *_t77 ^  *(_t77 ^  *_t77);
				 *((intOrPtr*)(_t101 + 0x33)) =  *((intOrPtr*)(_t101 + 0x33)) + _t79;
				 *_t79 =  *_t79 + _t79;
				 *_t105 =  *_t105 << 0;
				_t80 = _t79 ^  *_t79;
				_t105[0x32] = _t105[0x32] + _t101;
				 *_t80 =  *_t80 + _t80;
				_t82 = _t116 ^  *_t116;
				_t106 =  &(_t105[_t82]);
				_t84 = _t82 ^  *_t82 ^  *(_t82 ^  *_t82);
				 *((intOrPtr*)(_t106 + 0x31)) =  *((intOrPtr*)(_t106 + 0x31)) + _t101 + _t101;
				 *_t84 =  *_t84 + _t84;
				asm("aas");
				 *_t84 =  *_t84 ^ _t84;
				_t85 = _t84 + _t84;
				 *_t85 =  *_t85 ^ _t85;
				 *((intOrPtr*)(_t80 - 0x41ffffcf)) =  *((intOrPtr*)(_t80 - 0x41ffffcf)) + _t106;
				 *_t85 =  *_t85 ^ _t85;
				 *((intOrPtr*)(_t92 + _t101 + 0x14000030)) =  *((intOrPtr*)(_t92 + _t101 + 0x14000030)) + _t106;
				 *_t85 =  *_t85 ^ _t85;
				 *_t85 =  *_t85 ^ _t85;
				 *0xe900002f =  *0xe900002f + _t106;
				_t86 = _t85 ^  *_t85;
				 *_t86 =  *_t86 ^ _t86;
				 *((intOrPtr*)(_t86 + 0x37)) =  *((intOrPtr*)(_t86 + 0x37)) + _t106;
				 *_t86 =  *_t86 + _t86;
				asm("wait");
				asm("aaa");
				 *_t86 =  *_t86 + _t86;
				asm("sbb [esi], dh");
				 *_t86 =  *_t86 + _t86;
				 *[ss:eax] =  *[ss:eax] + _t86;
				asm("outsb");
				 *[ss:eax] =  *[ss:eax] + _t86;
				asm("cdq");
				 *[ss:eax] =  *[ss:eax] + _t86;
				asm("les esi, [esi]");
				 *_t86 =  *_t86 + _t86;
				asm("out dx, eax");
				 *[ss:eax] =  *[ss:eax] + _t86;
				asm("sbb dh, [edi]");
				 *_t86 =  *_t86 + _t86;
				asm("aaa");
				 *_t86 =  *_t86 + _t86;
				asm("outsb");
				_t87 = _t86 ^ 0x35430000;
				 *_t87 =  *_t87 + _t87;
				asm("sbb [0x34ed0000], dh");
				 *_t87 =  *_t87 + _t87;
				return _t87;
			}


































                      0x009a4628
                      0x009a4628
                      0x009a4628
                      0x009a4629
                      0x009a462a
                      0x009a462c
                      0x009a462d
                      0x009a462e
                      0x009a4630
                      0x009a4635
                      0x009a4636
                      0x009a463f
                      0x009a4642
                      0x009a4644
                      0x009a4647
                      0x009a464a
                      0x009a464c
                      0x009a4691
                      0x009a4692
                      0x009a4694
                      0x009a4696
                      0x009a4699
                      0x009a469a
                      0x009a469c
                      0x009a469e
                      0x009a46a0
                      0x009a46a1
                      0x009a46a2
                      0x009a46a4
                      0x009a46a6
                      0x009a46a8
                      0x009a46a9
                      0x009a46aa
                      0x009a46ac
                      0x009a46b2
                      0x009a46b4
                      0x009a46b7
                      0x009a46bd
                      0x009a46be
                      0x009a46c0
                      0x009a46c1
                      0x009a46c2
                      0x009a46c2
                      0x00000000
                      0x009a464e
                      0x009a464e
                      0x009a4650
                      0x009a4656
                      0x009a4658
                      0x009a465d
                      0x009a465e
                      0x009a465f
                      0x009a4662
                      0x009a4664
                      0x009a4666
                      0x009a4668
                      0x009a466e
                      0x009a4671
                      0x009a4672
                      0x009a4674
                      0x009a4677
                      0x009a467a
                      0x009a467c
                      0x009a46c4
                      0x009a46c4
                      0x00000000
                      0x009a46c6
                      0x009a46c6
                      0x009a46c8
                      0x009a46c9
                      0x009a46ca
                      0x009a46cc
                      0x009a46cf
                      0x00000000
                      0x009a46cf
                      0x009a467e
                      0x009a467e
                      0x009a4681
                      0x009a4682
                      0x009a4684
                      0x009a4687
                      0x009a4689
                      0x009a468a
                      0x009a468c
                      0x009a46d5
                      0x009a46d5
                      0x009a46d6
                      0x009a46d8
                      0x009a46db
                      0x009a46df
                      0x009a46e6
                      0x009a46e8
                      0x009a46e9
                      0x009a46ea
                      0x009a46ec
                      0x009a46ef
                      0x009a46f2
                      0x009a46f4
                      0x009a46f6
                      0x009a46fd
                      0x009a46fe
                      0x009a4702
                      0x009a4704
                      0x009a4706
                      0x009a4708
                      0x009a470a
                      0x009a470c
                      0x009a470e
                      0x009a470f
                      0x009a470f
                      0x009a4711
                      0x009a4713
                      0x009a4716
                      0x009a4718
                      0x009a471a
                      0x009a4721
                      0x009a4723
                      0x009a4727
                      0x009a472f
                      0x009a4733
                      0x009a4737
                      0x009a4739
                      0x009a473b
                      0x009a473b
                      0x009a468e
                      0x009a468e
                      0x009a4690
                      0x00000000
                      0x009a4690
                      0x009a468c
                      0x009a467c
                      0x009a4741
                      0x009a4743
                      0x009a4746
                      0x009a4748
                      0x009a4749
                      0x009a474b
                      0x009a474e
                      0x009a4750
                      0x009a4751
                      0x009a4753
                      0x009a4759
                      0x009a475b
                      0x009a475d
                      0x009a475f
                      0x009a4761
                      0x009a4763
                      0x009a4767
                      0x009a476b
                      0x009a4771
                      0x009a4773
                      0x009a4776
                      0x009a4778
                      0x009a4778
                      0x009a4779
                      0x009a477a
                      0x009a4781
                      0x009a4782
                      0x009a4789
                      0x009a478c
                      0x009a478e
                      0x009a4795
                      0x009a4797
                      0x009a4799
                      0x009a479b
                      0x009a479e
                      0x009a47a6
                      0x009a47a8
                      0x009a47aa
                      0x009a47ac
                      0x009a47ae
                      0x009a47b0
                      0x009a47b2
                      0x009a47b9
                      0x009a47be
                      0x009a47c7
                      0x009a47cd
                      0x009a47cf
                      0x009a47d2
                      0x009a47d4
                      0x009a47d9
                      0x009a47db
                      0x009a47de
                      0x009a47e1
                      0x009a47e3
                      0x009a47e9
                      0x009a47eb
                      0x009a47ee
                      0x009a47f0
                      0x009a47f1
                      0x009a47f3
                      0x009a47f5
                      0x009a47f7
                      0x009a47fd
                      0x009a47ff
                      0x009a4805
                      0x009a4809
                      0x009a480b
                      0x009a480d
                      0x009a4811
                      0x009a4813
                      0x009a4816
                      0x009a4818
                      0x009a4819
                      0x009a481a
                      0x009a481c
                      0x009a481e
                      0x009a4821
                      0x009a4824
                      0x009a4825
                      0x009a4828
                      0x009a4829
                      0x009a482c
                      0x009a482e
                      0x009a4830
                      0x009a4831
                      0x009a4834
                      0x009a4836
                      0x009a4839
                      0x009a483a
                      0x009a483c
                      0x009a483d
                      0x009a4842
                      0x009a4844
                      0x009a484a
                      0x009a484c

                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.364690039.00000000009A2000.00000002.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                      • Associated: 00000001.00000002.364678745.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_9a0000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID: -$.
                      • API String ID: 0-3807043784
                      • Opcode ID: 309d6aef7929785665a9f7f299e5f91ce0440fedf2352ff0495c1651d5a0000d
                      • Instruction ID: 44158d2897d298176a63471e92f1258e115c57c4ab4cb93bcae4ae085cccb052
                      • Opcode Fuzzy Hash: 309d6aef7929785665a9f7f299e5f91ce0440fedf2352ff0495c1651d5a0000d
                      • Instruction Fuzzy Hash: 2191C0A244E3C14FD7038B744CBA1817FB0AE5325471E4ADBC8C1CF4E3E6585A5AD366
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FD9B8 Relevance: .3, Instructions: 315COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3df09bb9fcf53e9844b087250745d264d5442ff29b77e73ade94b94d0db1774c
                      • Instruction ID: 0e692752e1382fa24d36134feaa9f2d590d8b9387d379e1071de898f3c07e3e9
                      • Opcode Fuzzy Hash: 3df09bb9fcf53e9844b087250745d264d5442ff29b77e73ade94b94d0db1774c
                      • Instruction Fuzzy Hash: A812D4F1DD17468AD310CF65E88A3A93BA1F7C23A8FD04B09D2611AAD4D7B9116ECF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FBA9C Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de65080033bfaedca8b95494c36049c749918ae9247f7c1951d1aafeafc17999
                      • Instruction ID: 02c7b269082449925bddef2ccf4006464b6b68bd6f5da3a51d01685deb3a8eec
                      • Opcode Fuzzy Hash: de65080033bfaedca8b95494c36049c749918ae9247f7c1951d1aafeafc17999
                      • Instruction Fuzzy Hash: 2AA15D72E0021ECFCF15DFA9C8449DDBBB6BF85304B15856AEA05AB225EB31E915CB40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 013FD9B3 Relevance: .2, Instructions: 217COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.365607314.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_13f0000_PasswordStealer.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 57cdbe551df63e00b4e9691d4c37d7b4e2db95686aba52412c45e1501abdb175
                      • Instruction ID: ebfd82b25089acca3d2b390f411496011a15def62e3e365d66b8554df1d5946e
                      • Opcode Fuzzy Hash: 57cdbe551df63e00b4e9691d4c37d7b4e2db95686aba52412c45e1501abdb175
                      • Instruction Fuzzy Hash: ABC129F1DD17468AD710CF65E88A3993B71FBC63A8F904B09D2612BAD4D7B4106ACF84
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Execution Graph

                      Execution Coverage:16%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:130
                      Total number of Limit Nodes:10
                      execution_graph 22894 560d1d4 22895 560d1ec 22894->22895 22896 560d246 22895->22896 22899 9f7f490 22895->22899 22907 9f7b05c 22895->22907 22902 9f7f4ed 22899->22902 22900 9f7f521 22923 9f7e404 22900->22923 22902->22900 22903 9f7f511 22902->22903 22915 9f7f648 22903->22915 22919 9f7f638 22903->22919 22904 9f7f51f 22908 9f7b067 22907->22908 22909 9f7f521 22908->22909 22911 9f7f511 22908->22911 22910 9f7e404 CallWindowProcW 22909->22910 22912 9f7f51f 22910->22912 22913 9f7f648 CallWindowProcW 22911->22913 22914 9f7f638 CallWindowProcW 22911->22914 22913->22912 22914->22912 22917 9f7f660 22915->22917 22916 9f7f743 22916->22904 22917->22916 22918 9f7e404 CallWindowProcW 22917->22918 22918->22917 22921 9f7f660 22919->22921 22920 9f7f743 22920->22904 22921->22920 22922 9f7e404 CallWindowProcW 22921->22922 22922->22921 22924 9f7e40f 22923->22924 22925 9f7f822 CallWindowProcW 22924->22925 22926 9f7f7d1 22924->22926 22925->22926 22926->22904 22802 a270d60 22803 a270eeb 22802->22803 22805 a270d86 22802->22805 22805->22803 22808 9f7cf00 SetWindowLongW 22805->22808 22810 9f7b06c 22805->22810 22813 a270320 22805->22813 22809 9f7cf7a 22808->22809 22809->22805 22811 9f7cf08 SetWindowLongW 22810->22811 22812 9f7cf7a 22811->22812 22812->22805 22814 a270fe8 PostMessageW 22813->22814 22815 a27105a 22814->22815 22815->22805 22840 a271540 22841 a27154c 22840->22841 22842 a27156d 22841->22842 22845 a2703ac 22841->22845 22846 a2716b8 FindCloseChangeNotification 22845->22846 22847 a271569 22846->22847 22927 9f70040 22928 9f7005e 22927->22928 22932 9f71b54 22928->22932 22936 9f71b60 22928->22936 22929 9f70095 22934 9f71bb9 LoadLibraryA 22932->22934 22935 9f71c5f 22934->22935 22939 9f71bb9 LoadLibraryA 22936->22939 22938 9f71c5f 22939->22938 22835 9f7d0ab 22837 9f7d0be 22835->22837 22836 9f7d201 22837->22836 22839 9f7ced8 SetWindowLongW 22837->22839 22839->22836 22940 560d01c 22941 560d030 22940->22941 22942 560d07e 22941->22942 22945 70f6978 22941->22945 22950 70f696e 22941->22950 22946 70f699a 22945->22946 22955 70f6a09 22946->22955 22959 70f6a18 22946->22959 22947 70f69b8 22947->22947 22951 70f699a 22950->22951 22953 70f6a09 EnumResourceNamesW 22951->22953 22954 70f6a18 EnumResourceNamesW 22951->22954 22952 70f69b8 22952->22952 22953->22952 22954->22952 22956 70f6a2c 22955->22956 22963 70f662c 22956->22963 22960 70f6a2c 22959->22960 22961 70f662c EnumResourceNamesW 22960->22961 22962 70f6a56 22961->22962 22962->22947 22964 70f6a70 EnumResourceNamesW 22963->22964 22966 70f6a56 22964->22966 22966->22947 22816 9f7e678 GetCurrentProcess 22817 9f7e6f2 GetCurrentThread 22816->22817 22818 9f7e6eb 22816->22818 22819 9f7e72f GetCurrentProcess 22817->22819 22820 9f7e728 22817->22820 22818->22817 22821 9f7e765 22819->22821 22820->22819 22826 9f7e829 22821->22826 22829 9f7e838 22821->22829 22822 9f7e78d GetCurrentThreadId 22823 9f7e7be 22822->22823 22827 9f7e866 22826->22827 22832 9f7e234 22826->22832 22827->22822 22830 9f7e234 DuplicateHandle 22829->22830 22831 9f7e866 22830->22831 22831->22822 22833 9f7e8a0 DuplicateHandle 22832->22833 22834 9f7e93c 22833->22834 22834->22827 22848 70f56a0 22850 70f56bb 22848->22850 22849 70f5810 22850->22849 22853 9f79758 22850->22853 22859 9f79748 22850->22859 22854 9f7976d 22853->22854 22865 9f76cc4 22854->22865 22856 9f7978e 22857 9f76cc4 CreateWindowExW 22856->22857 22858 9f79809 22857->22858 22858->22850 22860 9f7974d 22859->22860 22861 9f76cc4 CreateWindowExW 22860->22861 22862 9f7978e 22861->22862 22863 9f76cc4 CreateWindowExW 22862->22863 22864 9f79809 22863->22864 22864->22850 22866 9f76ccf 22865->22866 22870 9f7b2a0 22866->22870 22875 9f7b290 22866->22875 22867 9f79882 22867->22856 22871 9f7b2ca 22870->22871 22872 9f7b371 22871->22872 22880 9f7cc59 22871->22880 22883 9f7cc68 22871->22883 22876 9f7b2ca 22875->22876 22877 9f7b371 22876->22877 22878 9f7cc59 CreateWindowExW 22876->22878 22879 9f7cc68 CreateWindowExW 22876->22879 22878->22877 22879->22877 22881 9f7cc9d 22880->22881 22886 9f7b034 22880->22886 22881->22872 22884 9f7b034 CreateWindowExW 22883->22884 22885 9f7cc9d 22884->22885 22885->22872 22887 9f7ccb8 CreateWindowExW 22886->22887 22889 9f7cde2 22887->22889 22889->22889 22890 70f68a0 22891 70f68e4 EnumResourceTypesW 22890->22891 22893 70f692d 22891->22893

                      Executed Functions

                      Function 09F7E668 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 09F7E6D8
                      • GetCurrentThread.KERNEL32 ref: 09F7E715
                      • GetCurrentProcess.KERNEL32 ref: 09F7E752
                      • GetCurrentThreadId.KERNEL32 ref: 09F7E7AB
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: e41d11c1a7d30bd9daa58daba788aefdfdd02299f5691d992f02f83054a52722
                      • Instruction ID: c52d71c5de846c5db76de2dcd4c5aff8d7e06050cf9b426a012973f652b10423
                      • Opcode Fuzzy Hash: e41d11c1a7d30bd9daa58daba788aefdfdd02299f5691d992f02f83054a52722
                      • Instruction Fuzzy Hash: 405187B09007498FDB00CFA9D548BDEBBF0AF88314F24859AE029B72A0D7355848CF25
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7E678 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 09F7E6D8
                      • GetCurrentThread.KERNEL32 ref: 09F7E715
                      • GetCurrentProcess.KERNEL32 ref: 09F7E752
                      • GetCurrentThreadId.KERNEL32 ref: 09F7E7AB
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: e853252f303f0202b51b5641bb4eca75dea407d979cfaca61c41ec847e8b4be1
                      • Instruction ID: 07ce174fe78f6a7fa978034deb1866fa84bbb63623db8af451255ffcad1d2649
                      • Opcode Fuzzy Hash: e853252f303f0202b51b5641bb4eca75dea407d979cfaca61c41ec847e8b4be1
                      • Instruction Fuzzy Hash: C45154B49006498FDB10CFA9D648B9EBBF4AB88304F24859AE019B7260E7756848CF65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7B00A Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 417 9f7b00a-9f7cd1e 419 9f7cd20-9f7cd26 417->419 420 9f7cd29-9f7cd30 417->420 419->420 421 9f7cd32-9f7cd38 420->421 422 9f7cd3b-9f7cd73 420->422 421->422 423 9f7cd7b-9f7cde0 CreateWindowExW 422->423 424 9f7cde2-9f7cde8 423->424 425 9f7cde9-9f7ce21 423->425 424->425 429 9f7ce23-9f7ce26 425->429 430 9f7ce2e 425->430 429->430 431 9f7ce2f 430->431 431->431
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 09F7CDCA
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 9ae575f2520b3cfd82ffcd1b9f8aec9fa8c732718c20a8fb1ffe03d737f2c002
                      • Instruction ID: a38e9e1d7401d873832d4fd48d588c70fe407ac3b8cfe087f84b0797a2ff653d
                      • Opcode Fuzzy Hash: 9ae575f2520b3cfd82ffcd1b9f8aec9fa8c732718c20a8fb1ffe03d737f2c002
                      • Instruction Fuzzy Hash: 2351FFB1D003499FDB15CFA9C880ADEBFB1FF49310F24816AE819AB251D7749846CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7B034 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 432 9f7b034-9f7cd1e 434 9f7cd20-9f7cd26 432->434 435 9f7cd29-9f7cd30 432->435 434->435 436 9f7cd32-9f7cd38 435->436 437 9f7cd3b-9f7cde0 CreateWindowExW 435->437 436->437 439 9f7cde2-9f7cde8 437->439 440 9f7cde9-9f7ce21 437->440 439->440 444 9f7ce23-9f7ce26 440->444 445 9f7ce2e 440->445 444->445 446 9f7ce2f 445->446 446->446
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 09F7CDCA
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: a8b4dc86f9b6de970ae998bc8c15191c89039cd86a3363a96d6aa9c40db5d4f8
                      • Instruction ID: c5b9f835f9a622c81ddcca00aa46c7a551e746e74f1c4c21fcb738a8d39804f8
                      • Opcode Fuzzy Hash: a8b4dc86f9b6de970ae998bc8c15191c89039cd86a3363a96d6aa9c40db5d4f8
                      • Instruction Fuzzy Hash: BD51ACB1D003099FDB14CF99C984ADEFBB5BF88314F24852AE819AB310D7759845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7CCAC Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 447 9f7ccac-9f7cd1e 449 9f7cd20-9f7cd26 447->449 450 9f7cd29-9f7cd30 447->450 449->450 451 9f7cd32-9f7cd38 450->451 452 9f7cd3b-9f7cd73 450->452 451->452 453 9f7cd7b-9f7cde0 CreateWindowExW 452->453 454 9f7cde2-9f7cde8 453->454 455 9f7cde9-9f7ce21 453->455 454->455 459 9f7ce23-9f7ce26 455->459 460 9f7ce2e 455->460 459->460 461 9f7ce2f 460->461 461->461
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 09F7CDCA
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 0ec223d3c2125bea67e5a53780f530c17d31d31faa03bc8015dee7c094797b88
                      • Instruction ID: 7249a2df8d708ae7d0102b619822a8446463049e50b84a092be9f7d0b83c1a67
                      • Opcode Fuzzy Hash: 0ec223d3c2125bea67e5a53780f530c17d31d31faa03bc8015dee7c094797b88
                      • Instruction Fuzzy Hash: 9251BDB1D003099FDB14CFA9C880ADEFBB5BF88314F24862AE819AB214D7759845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F71B54 Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 462 9f71b54-9f71bb7 463 9f71c0b-9f71c5d LoadLibraryA 462->463 464 9f71bb9-9f71bde 462->464 467 9f71c66-9f71c97 463->467 468 9f71c5f-9f71c65 463->468 464->463 469 9f71be0-9f71be2 464->469 476 9f71ca7 467->476 477 9f71c99-9f71c9d 467->477 468->467 471 9f71c05-9f71c08 469->471 472 9f71be4-9f71bee 469->472 471->463 473 9f71bf2-9f71c01 472->473 474 9f71bf0 472->474 473->473 478 9f71c03 473->478 474->473 480 9f71ca8 476->480 477->476 479 9f71c9f 477->479 478->471 479->476 480->480
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 09F71C47
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: d054489f8c00feee6ddcb370f45e402b6a3fc2d6cfdceea1c65bda5123d2a2a0
                      • Instruction ID: f0281b94796a341349ab12e534fc81cd1aa19a6fbc459e23d6bdc14f5018d01d
                      • Opcode Fuzzy Hash: d054489f8c00feee6ddcb370f45e402b6a3fc2d6cfdceea1c65bda5123d2a2a0
                      • Instruction Fuzzy Hash: 17413370E042598FDB10CFA9C885BDEFBF1EB48314F14852AE815AB344D775984ACB81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7E404 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 481 9f7e404-9f7f7c4 484 9f7f874-9f7f894 call 9f7b05c 481->484 485 9f7f7ca-9f7f7cf 481->485 492 9f7f897-9f7f8a4 484->492 487 9f7f822-9f7f85a CallWindowProcW 485->487 488 9f7f7d1-9f7f808 485->488 490 9f7f863-9f7f872 487->490 491 9f7f85c-9f7f862 487->491 495 9f7f811-9f7f820 488->495 496 9f7f80a-9f7f810 488->496 490->492 491->490 495->492 496->495
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 09F7F849
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: dbd7ca577804c517168ef6036df6e0582d031b3504f3a79786bf980f23cae48b
                      • Instruction ID: 7dab45d89fe4219ea418c60f5dd2ce92a516316ed7f6d2136055bc067513e019
                      • Opcode Fuzzy Hash: dbd7ca577804c517168ef6036df6e0582d031b3504f3a79786bf980f23cae48b
                      • Instruction Fuzzy Hash: A04129B5900349DFDB10CF99C488AAAFBF5FB88314F24C559E519A7321D374A841CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F71B60 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 498 9f71b60-9f71bb7 499 9f71c0b-9f71c5d LoadLibraryA 498->499 500 9f71bb9-9f71bde 498->500 503 9f71c66-9f71c97 499->503 504 9f71c5f-9f71c65 499->504 500->499 505 9f71be0-9f71be2 500->505 512 9f71ca7 503->512 513 9f71c99-9f71c9d 503->513 504->503 507 9f71c05-9f71c08 505->507 508 9f71be4-9f71bee 505->508 507->499 509 9f71bf2-9f71c01 508->509 510 9f71bf0 508->510 509->509 514 9f71c03 509->514 510->509 516 9f71ca8 512->516 513->512 515 9f71c9f 513->515 514->507 515->512 516->516
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 09F71C47
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 3d8a78e368ea8ff7f417f3066e91c9a359f7fe2e25f21d6a52a4ce5502f44300
                      • Instruction ID: fc07482c7d444a44bb7806a6ef83858578e825a7e462e1086d1b05ebfea0b6ae
                      • Opcode Fuzzy Hash: 3d8a78e368ea8ff7f417f3066e91c9a359f7fe2e25f21d6a52a4ce5502f44300
                      • Instruction Fuzzy Hash: AA4125B0E043588FDB10CFA9C885BDEFBF1EB48314F14852AE815AB344D7B5984ACB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7E234 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1088 9f7e234-9f7e93a DuplicateHandle 1090 9f7e943-9f7e960 1088->1090 1091 9f7e93c-9f7e942 1088->1091 1091->1090
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09F7E866,?,?,?,?,?), ref: 09F7E927
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 67f9b8173b5bb24f1250fe330a16275840204745c59e832773bc8bdf675acbe3
                      • Instruction ID: 88fa27d63f1d600b621b439e45809c3b4d96b9daa02a956d3535529bdc84fcdc
                      • Opcode Fuzzy Hash: 67f9b8173b5bb24f1250fe330a16275840204745c59e832773bc8bdf675acbe3
                      • Instruction Fuzzy Hash: 6C21EFB5D00209AFDB10CFA9D984AEEBBF8EB48324F14845AE954A7310D374A955CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 070F662C Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1094 70f662c-70f6ab9 1097 70f6abb-70f6ac3 1094->1097 1098 70f6ac5-70f6afb EnumResourceNamesW 1094->1098 1097->1098 1099 70f6afd-70f6b03 1098->1099 1100 70f6b04-70f6b31 1098->1100 1099->1100
                      APIs
                      • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,070F6A56,00000000,00000000), ref: 070F6AE8
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376396609.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_70f0000_AppLaunch.jbxd
                      Similarity
                      • API ID: EnumNamesResource
                      • String ID:
                      • API String ID: 3334572018-0
                      • Opcode ID: dcaaec61f1ecb41baad2b5af274a5a859f7f8833c548bcb2e0d4cc39a618b500
                      • Instruction ID: c3dce7eaf19c5789f3638d6dd5a6460b7b07572b611e02e29f1843b2658f134b
                      • Opcode Fuzzy Hash: dcaaec61f1ecb41baad2b5af274a5a859f7f8833c548bcb2e0d4cc39a618b500
                      • Instruction Fuzzy Hash: F52179B1A002099FDB50CF9AC844BEEBBF4EB88324F14C429E558A7740D775A945CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 070F6A69 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1104 70f6a69-70f6ab9 1106 70f6abb-70f6ac3 1104->1106 1107 70f6ac5-70f6afb EnumResourceNamesW 1104->1107 1106->1107 1108 70f6afd-70f6b03 1107->1108 1109 70f6b04-70f6b31 1107->1109 1108->1109
                      APIs
                      • EnumResourceNamesW.KERNELBASE(?,?,00000000,?,?,?,?,?,070F6A56,00000000,00000000), ref: 070F6AE8
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376396609.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_70f0000_AppLaunch.jbxd
                      Similarity
                      • API ID: EnumNamesResource
                      • String ID:
                      • API String ID: 3334572018-0
                      • Opcode ID: 780284d95224ade001db502ac846f71337eacad4438ac276a922ea907e65ccce
                      • Instruction ID: d0da3ae48cd78804f50f66e3e04afbfa52271ca6b89874dfe343616dbc745b8b
                      • Opcode Fuzzy Hash: 780284d95224ade001db502ac846f71337eacad4438ac276a922ea907e65ccce
                      • Instruction Fuzzy Hash: 242179B59002099FDB50CF99C844BEEBBF5EF88324F24C429E558A7740D774A945CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7E898 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1113 9f7e898-9f7e93a DuplicateHandle 1114 9f7e943-9f7e960 1113->1114 1115 9f7e93c-9f7e942 1113->1115 1115->1114
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,09F7E866,?,?,?,?,?), ref: 09F7E927
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 40ab819080a7d7b3998aa605eba004f1168f688837b3db949252c1686c5009e3
                      • Instruction ID: db8cd267fd89be663dc4c0adb0e2351bd3991bd5f15fe63cc158019cc73d794d
                      • Opcode Fuzzy Hash: 40ab819080a7d7b3998aa605eba004f1168f688837b3db949252c1686c5009e3
                      • Instruction Fuzzy Hash: DC21F2B5D002099FDF10CFA9D884AEEBBF4FB48324F24845AE954A7310D374AA55CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 070F689A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1118 70f689a-70f68ea 1120 70f68ec 1118->1120 1121 70f68f6-70f692b EnumResourceTypesW 1118->1121 1124 70f68f4 1120->1124 1122 70f692d-70f6933 1121->1122 1123 70f6934-70f6961 1121->1123 1122->1123 1124->1121
                      APIs
                      • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 070F6918
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376396609.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_70f0000_AppLaunch.jbxd
                      Similarity
                      • API ID: EnumResourceTypes
                      • String ID:
                      • API String ID: 29811550-0
                      • Opcode ID: 7c9f81c7d2848e33aa90a07c64358190dcb1d88f7b62fa1f40ac26083431accc
                      • Instruction ID: d6823a2600c848a1d8581f3ad00b005096da9f9aad6b787df32a7c25a620891e
                      • Opcode Fuzzy Hash: 7c9f81c7d2848e33aa90a07c64358190dcb1d88f7b62fa1f40ac26083431accc
                      • Instruction Fuzzy Hash: 5D2157B1D002198FDB10CF99C944BEEFBF5EB88324F14852AE558B3640D778A946CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 070F68A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • EnumResourceTypesW.KERNEL32(?,00000000,?), ref: 070F6918
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376396609.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_70f0000_AppLaunch.jbxd
                      Similarity
                      • API ID: EnumResourceTypes
                      • String ID:
                      • API String ID: 29811550-0
                      • Opcode ID: 2c6608e64c70dd48a9c66021eb658450c61755d3fdd2d87aadb2206700987bab
                      • Instruction ID: f257ad6953eba1b7588d6b5f2c29c97d76d97b1506b5ce96bfbfbbfb9d81496b
                      • Opcode Fuzzy Hash: 2c6608e64c70dd48a9c66021eb658450c61755d3fdd2d87aadb2206700987bab
                      • Instruction Fuzzy Hash: 152157B1D002098FDB10CF99C844BEEFBF8EB88324F14842AD558A3640D774A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0A2703AC Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0A271569,?,?), ref: 0A271710
                      Memory Dump Source
                      • Source File: 0000000C.00000002.377006593.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_a270000_AppLaunch.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 7ffc22b00933d6adb3ff2bb6924de74f64f24f80962a0a94e116c6a5cdafa4db
                      • Instruction ID: b8f7ee01a25741bad85adc9855ffb6763547ada35eb01fea275093b8d23a03bf
                      • Opcode Fuzzy Hash: 7ffc22b00933d6adb3ff2bb6924de74f64f24f80962a0a94e116c6a5cdafa4db
                      • Instruction Fuzzy Hash: 2F1146B58102098FCB10CF99C444BEEBBF4EF48324F248569D958A7340D778AA45CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0A2716B1 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0A271569,?,?), ref: 0A271710
                      Memory Dump Source
                      • Source File: 0000000C.00000002.377006593.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_a270000_AppLaunch.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 14be57f521d278f8e4030c7724832628e591229983e7bf72ab09dda4a6dc495f
                      • Instruction ID: 4e59905015ede8a8544e8a723c46b13544d8cf1be64151c1da43119c93005e18
                      • Opcode Fuzzy Hash: 14be57f521d278f8e4030c7724832628e591229983e7bf72ab09dda4a6dc495f
                      • Instruction Fuzzy Hash: 841149B58002098FDB10CF99C4847DEBBF4EF88324F248559D554A7340D739A945CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7CF00 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,09F7CEF0,?,?,?,?), ref: 09F7CF65
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 3e3c6e53f2bb8743f1a6f144afcc1a0072d82acc653addd9c8279bfbd524ed5b
                      • Instruction ID: 5795eaf53015992ac9b7313c55e94a5de354122d2cd32f172ea6db61aec04e24
                      • Opcode Fuzzy Hash: 3e3c6e53f2bb8743f1a6f144afcc1a0072d82acc653addd9c8279bfbd524ed5b
                      • Instruction Fuzzy Hash: D51120B58002098FDB10CF99C485BDEFBF8EB48324F20854AE959B7300D375A946CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 09F7B06C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,09F7CEF0,?,?,?,?), ref: 09F7CF65
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376901040.0000000009F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_9f70000_AppLaunch.jbxd
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 7d1965f859332a9c117e7f4e7fd3c62ceb0d420b96df440c614c7d42fa0e0efe
                      • Instruction ID: b93b93343b076b93f8e4675793d309759b0bbaf8cb250ce2ff7d5e583df2e2b7
                      • Opcode Fuzzy Hash: 7d1965f859332a9c117e7f4e7fd3c62ceb0d420b96df440c614c7d42fa0e0efe
                      • Instruction Fuzzy Hash: 521113B59002098FDB10CF99C484BDEFBF8EB48324F20855AE955B7300D375A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0A270320 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A271045
                      Memory Dump Source
                      • Source File: 0000000C.00000002.377006593.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_a270000_AppLaunch.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: ac8770444640cff2e91203af443811cc0ce4cb05159858762da995de6465e09a
                      • Instruction ID: b0e982ec922ed80654842cfe23b45498b55d7a914ef9cc8650abdeb78f308d2c
                      • Opcode Fuzzy Hash: ac8770444640cff2e91203af443811cc0ce4cb05159858762da995de6465e09a
                      • Instruction Fuzzy Hash: 461116B58003499FDB10CF89C884BEEBBF8EB48324F108459E918A7700D375A955CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0A270FE3 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A271045
                      Memory Dump Source
                      • Source File: 0000000C.00000002.377006593.000000000A270000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A270000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_a270000_AppLaunch.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: a592ed437329aab948b68b8f1935d0fbd6063ad04ea98164a23385dc3c0ce9a9
                      • Instruction ID: bca98ba40697b36554ecaac6ab6d84a4892c6bcb4519fc2b907a3417b1b9a7b5
                      • Opcode Fuzzy Hash: a592ed437329aab948b68b8f1935d0fbd6063ad04ea98164a23385dc3c0ce9a9
                      • Instruction Fuzzy Hash: B81146B58003498FCB10CF99C484BDEBBF8FB48324F148459E854A7200D375A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 055FD400 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376192653.00000000055FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 055FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_55fd000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af4c2954a3704d6e9d49f19322cfdb9a91953ea02ed326b7a3f601a7fdf1a15e
                      • Instruction ID: bd2b475c8d83383e44b356d76eba1546f9d59056ac87bfe8eca1d01825d4ecc8
                      • Opcode Fuzzy Hash: af4c2954a3704d6e9d49f19322cfdb9a91953ea02ed326b7a3f601a7fdf1a15e
                      • Instruction Fuzzy Hash: 1621C172504244DFDB15DF14D9C8F26BB76FB88324F24C5A9EA054E206C376E856C7A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 055FD4EC Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376192653.00000000055FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 055FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_55fd000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e66e8aaee277d4d9f277a9bfe374f0f08f6ee97f2d3453bcf66a950c56b5639
                      • Instruction ID: 61b2d1e394d4303d8614e3f01629008283aa2f0ad74242acf6383f9808d4461c
                      • Opcode Fuzzy Hash: 7e66e8aaee277d4d9f277a9bfe374f0f08f6ee97f2d3453bcf66a950c56b5639
                      • Instruction Fuzzy Hash: 5821B3B1504244DFDB05DF54D9C0F26BF76FB88328F248969EA054B246C336D856CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D0F4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 94ad6aadba96444873fc24bd7992ca79df3d52395f50131fa1e3e063f1ca7156
                      • Instruction ID: e7bf52f02940006971a8d9c0ce30527786553af9c00e3d220f2f3f2f7d964acb
                      • Opcode Fuzzy Hash: 94ad6aadba96444873fc24bd7992ca79df3d52395f50131fa1e3e063f1ca7156
                      • Instruction Fuzzy Hash: 6F2138B1504244EFDB08DF54D9C0F27BB76FB84324F24C6A9E8094B786CB76D806CAA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D1D4 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7641f3544da836dfaffc95ca0375ad046a930517018f3fb503f9665d6c39e652
                      • Instruction ID: 9a47472b2f4a854b5ec2a6e89274e20ff9c18a6d18a0a095612242e96d5b8fe8
                      • Opcode Fuzzy Hash: 7641f3544da836dfaffc95ca0375ad046a930517018f3fb503f9665d6c39e652
                      • Instruction Fuzzy Hash: 08212571504204EFCB18DF94D9C0F26BB76FB84318F24C6A9EA094B786C336D806CA61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D01C Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a54ba9286beae016a6030bda9beea40f73685a6c5f505977aa4e8233ec59c700
                      • Instruction ID: 80ff8054f8da97c095da4099bf57621edbb6d40d5039626d8af9dc03c873507f
                      • Opcode Fuzzy Hash: a54ba9286beae016a6030bda9beea40f73685a6c5f505977aa4e8233ec59c700
                      • Instruction Fuzzy Hash: 1921C2B16082449FDB18DF54D9C0F27BB76FB84324F64C669D90A4B685C336D847C6A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D006 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fed837e5413279ca8de465a3e0c91df4aed1c1c3a42c10aa656c6d2f3c572c36
                      • Instruction ID: 699afc993d19bf8700227f9634e4dc0a782b6bc73a987fdbd80bd71b390c3a3e
                      • Opcode Fuzzy Hash: fed837e5413279ca8de465a3e0c91df4aed1c1c3a42c10aa656c6d2f3c572c36
                      • Instruction Fuzzy Hash: 8921A575509380CFC716CF10D594B16BF71FB85224F29C6AAD8498B796C33AD84ACB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 055FD3FB Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376192653.00000000055FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 055FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_55fd000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction ID: d481f76067d3e47768d97a357266688db8d2be48e2379c84b4fa1e5d6d0be884
                      • Opcode Fuzzy Hash: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction Fuzzy Hash: B411B176404280CFCB11CF10D5C4B26BF72FB84324F24C6A9D9450F616C37AE45ACBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 055FD4E7 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376192653.00000000055FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 055FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_55fd000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction ID: 1245e96557332efc6e676bf3a4521ca902be13807ccaf0edfda2af433a4de1af
                      • Opcode Fuzzy Hash: 047e043be513afc1d1a9f8cf679f22ef3a6e3b5a067542c557c4006cbcc6beb6
                      • Instruction Fuzzy Hash: 3911D376404280CFCF01CF10D5C4B26BF72FB88324F24C6A9D9450B616C33AD45ACBA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D0EF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 33432d90ce72cf9cfdf51114b665717b38337a80359fc95a6919ffcbb9ee586b
                      • Instruction ID: 8551686e112884d61c97cf37c3374d824692ee34d5547dfc6a38087dd0c5bab1
                      • Opcode Fuzzy Hash: 33432d90ce72cf9cfdf51114b665717b38337a80359fc95a6919ffcbb9ee586b
                      • Instruction Fuzzy Hash: FB118275504280DFDB15CF54D9C4B26FB72FB84324F24C6A9D8494BB86C33AD45ACB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0560D1CF Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.376206002.000000000560D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0560D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_560d000_AppLaunch.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe5c504946b283e159bfaf2fd4ef824fcf7addfca3d7626bb07a849ea7c69dac
                      • Instruction ID: 959c37b49135dd7eb4f8ebfd9c07e42264b897a58b6678124b9aae937581d9e7
                      • Opcode Fuzzy Hash: fe5c504946b283e159bfaf2fd4ef824fcf7addfca3d7626bb07a849ea7c69dac
                      • Instruction Fuzzy Hash: 1611BB75904280DFCB15CF54C6C0B26BBB2FB84224F28C6ADD9494BB96C33AD45ACB61
                      Uniqueness

                      Uniqueness Score: -1.00%