Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
72QC-GMI2022.exe

Overview

General Information

Sample Name:72QC-GMI2022.exe
Analysis ID:601910
MD5:de8a8f710f5bfdacbc1843b997741b86
SHA1:3abf5d61febd54753055bb2707853ea2eace025a
SHA256:f97f876b529e2569d80b1190a249088582117b29aef9af9d8a0e992c2df2db2d
Tags:exehawkeye
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large strings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • 72QC-GMI2022.exe (PID: 996 cmdline: "C:\Users\user\Desktop\72QC-GMI2022.exe" MD5: DE8A8F710F5BFDACBC1843B997741B86)
    • RegSvcs.exe (PID: 4792 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4480 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • vbc.exe (PID: 472 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6028 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 4528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6628 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WindowsUpdate.exe (PID: 5468 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000006.00000002.352893302.0000000007C50000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000002.352866498.0000000007C40000.00000004.08000000.00040000.00000000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 60 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.RegSvcs.exe.2c4b32c.21.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.0.RegSvcs.exe.2e50e94.33.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.2.RegSvcs.exe.2e50e94.6.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      6.0.RegSvcs.exe.45fa72.29.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        6.2.RegSvcs.exe.3c29930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 189 entries

          Sigma Signatures

          There are no malicious signatures, click here to show all signatures.

          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4480, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4480, TargetFilename: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 72QC-GMI2022.exeVirustotal: Detection: 60%Perma Link
          Source: 72QC-GMI2022.exeReversingLabs: Detection: 57%
          Machine Learning detection for sample
          Source: 72QC-GMI2022.exeJoe Sandbox ML: detected
          Source: 6.0.RegSvcs.exe.400000.13.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.13.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.28.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.28.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.17.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.17.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.9.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.9.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.5.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.5.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 6.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
          Source: 6.0.RegSvcs.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
          Source: 72QC-GMI2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.3:49764 version: TLS 1.0
          Source: 72QC-GMI2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Accessibility.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: RegSvcs.pdb, source: WindowsUpdate.exe, 00000016.00000000.312831914.0000000000CD2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe, 0000001A.00000000.330340825.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe.6.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: RegSvcs.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000001A.00000000.330340825.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe.6.dr
          Source: Binary string: System.Configuration.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Drawing.pdbMZ source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: CMemoryExecute.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Core.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Microsoft.VisualBasic.pdb\ source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.pdbH source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Drawing.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Management.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Core.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbh source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0527A630h6_2_0527A568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0527A630h6_2_0527A559
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_05279EF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_05272B75
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_05279A2D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C20594
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C22783
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0527A6E8h6_2_07C2A67B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2A67B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2B4A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2330B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C24290
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2B17F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0527A6E8h6_2_07C2AEBA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2AEBA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then call 0527A6E8h6_2_07C2ADD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2ADD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2BC6D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C22C3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C2BB83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07C228D5

          Networking

          barindex
          May check the online IP address of the machine
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: whatismyipaddress.com
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
          Source: unknownHTTPS traffic detected: 104.16.155.36:443 -> 192.168.2.3:49764 version: TLS 1.0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 02 Apr 2022 14:34:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=iSuLMgkCj210RA6VjTF.Vym6s_NAMvyb_k6WTeMPLIM-1648910081-0-AYTNdng45DS8+GTSaAdVhmtPzoqJo2Yq7GJk4+qSK7ueiMK8qNs13S1EJ7jL5Ph5ye0IxzhCNt+kZPqNx1doDL8=; path=/; expires=Sat, 02-Apr-22 15:04:41 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6f5a496b7c1e68e9-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: 72QC-GMI2022.exe, 00000001.00000002.277966727.0000000003301000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
          Source: RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: RegSvcs.exe, 00000006.00000002.345920029.0000000002C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
          Source: RegSvcs.exe, 00000006.00000002.345920029.0000000002C5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com4dkDX
          Source: RegSvcs.exe, 00000006.00000002.345965725.0000000002C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
          Source: unknownDNS traffic detected: queries for: whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4480, type: MEMORYSTR
          Contains functionality to log keystrokes (.Net Source)
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.cs.Net Code: HookKeyboard

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large strings
          Source: 72QC-GMI2022.exe, GeneticNeuralNetwork/MainFrm.csLong String: Length: 22528
          Source: 1.2.72QC-GMI2022.exe.f70000.0.unpack, GeneticNeuralNetwork/MainFrm.csLong String: Length: 22528
          Source: 1.0.72QC-GMI2022.exe.f70000.0.unpack, GeneticNeuralNetwork/MainFrm.csLong String: Length: 22528
          Source: 72QC-GMI2022.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.0.RegSvcs.exe.2c4b32c.21.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.2e50e94.33.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.RegSvcs.exe.2e50e94.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.7c40000.37.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.2e1ba60.34.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.RegSvcs.exe.7c40000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.7c50000.38.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.2c4b32c.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.2e50e94.23.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.2e1ba60.22.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.7c50000.27.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.7c40000.26.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.2.RegSvcs.exe.7c50000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.2c4b32c.32.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.2e1ba60.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.352893302.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000002.352866498.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.328851299.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000000.320764798.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.320800565.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
          Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_0185DB4C1_2_0185DB4C
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_0185C1481_2_0185C148
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_0185E2121_2_0185E212
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_0185A7581_2_0185A758
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_079881A81_2_079881A8
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_079869DC1_2_079869DC
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_07C866281_2_07C86628
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_07C8A4B81_2_07C8A4B8
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeCode function: 1_2_07C83A801_2_07C83A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_071AB5A06_2_071AB5A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_071AEF886_2_071AEF88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_071ABE706_2_071ABE70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_071AB2586_2_071AB258
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_071A00066_2_071A0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2A6806_2_07C2A680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2C4286_2_07C2C428
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C223586_2_07C22358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C23C886_2_07C23C88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C22C486_2_07C22C48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C278006_2_07C27800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2A67B6_2_07C2A67B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C223496_2_07C22349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C23C786_2_07C23C78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_080900406_2_08090040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_080908A8 NtSetContextThread,6_2_080908A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_08090690 NtResumeThread,6_2_08090690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_080907F0 NtWriteVirtualMemory,6_2_080907F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_080908A3 NtSetContextThread,6_2_080908A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_08090940 NtSetContextThread,6_2_08090940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0809068B NtResumeThread,6_2_0809068B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_080907EB NtWriteVirtualMemory,6_2_080907EB
          Source: 72QC-GMI2022.exeBinary or memory string: OriginalFilename vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.285888033.0000000009460000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.277966727.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000003.263604355.000000000397C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exe, 00000001.00000002.285673735.0000000007CB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exeBinary or memory string: OriginalFilenameo0Er0.exeH vs 72QC-GMI2022.exe
          Source: 72QC-GMI2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 72QC-GMI2022.exeVirustotal: Detection: 60%
          Source: 72QC-GMI2022.exeReversingLabs: Detection: 57%
          Source: 72QC-GMI2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\72QC-GMI2022.exe "C:\Users\user\Desktop\72QC-GMI2022.exe"
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 176
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2660
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\72QC-GMI2022.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF13.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/19@2/2
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.csBase64 encoded string: 's+h4OoVfF1/gTxEKVeu95BymZAXKu/j7MX3t1HVyhKRm4gD++riX1jTJei2X2nbHi5oQBuEq/XdVDS2zQdrazw==', 'gLp/wELYskCet5CtWjFsby6aqXC2e1fufZefQ23SzBHl9skpt95VKH9hyE1BYthl', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4480
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess472
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMutant created: \Sessions\1\BaseNamedObjects\hGfcyGYj
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6028
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 72QC-GMI2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 72QC-GMI2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Accessibility.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: RegSvcs.pdb, source: WindowsUpdate.exe, 00000016.00000000.312831914.0000000000CD2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe, 0000001A.00000000.330340825.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe.6.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: System.Runtime.Remoting.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: RegSvcs.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000001A.00000000.330340825.00000000004E2000.00000002.00000001.01000000.00000009.sdmp, WindowsUpdate.exe.6.dr
          Source: Binary string: System.Configuration.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Drawing.pdbMZ source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: CMemoryExecute.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Core.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: Microsoft.VisualBasic.pdb\ source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.pdbH source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Drawing.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Management.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: mscorlib.ni.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Core.pdb source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: System.Runtime.Remoting.pdbh source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER1DC6.tmp.dmp.25.dr
          Source: Binary string: System.ni.pdb source: WER1DC6.tmp.dmp.25.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05273234 push 8B6780ADh; iretd 6_2_05273239
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0527FC04 push E801005Eh; ret 6_2_0527FC09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0527AC12 pushfd ; ret 6_2_0527AC21
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2D17B push esp; ret 6_2_07C2D182
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2D07B push ebx; ret 6_2_07C2D082
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2D078 push ebx; ret 6_2_07C2D07A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2CFEB push ebx; ret 6_2_07C2CFF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2CFE8 push ebx; ret 6_2_07C2CFEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C2CFB1 push ebx; ret 6_2_07C2CFB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_07C29E18 push ds; ret 6_2_07C29E1A
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83370969274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Changes the view of files in windows explorer (hidden files and folders)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\72QC-GMI2022.exe TID: 5232Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 316Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5600Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 120000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 140000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeThread delayed: delay time: 922337203685477
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: 72QC-GMI2022.exe, 00000001.00000002.278118518.0000000003373000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 482000Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 486000Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AE6008Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
          .NET source code references suspicious native API functions
          Source: 6.0.RegSvcs.exe.400000.13.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.13.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.28.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.28.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.17.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.17.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.9.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.9.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.2.RegSvcs.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.2.RegSvcs.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.5.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.5.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Source: 6.0.RegSvcs.exe.400000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
          Source: 6.0.RegSvcs.exe.400000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Users\user\Desktop\72QC-GMI2022.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\Desktop\72QC-GMI2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

          Stealing of Sensitive Information

          barindex
          Yara detected MailPassView
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.29.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.3c29930.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c29930.24.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.14.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c29930.35.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c29930.35.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.45fa72.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.18.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c29930.24.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.3c29930.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.350595876.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.317681951.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4480, type: MEMORYSTR
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4480, type: MEMORYSTR
          Yara detected WebBrowserPassView password recovery tool
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c95120.25.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.3c95120.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c95120.25.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.3c95120.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c95120.36.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.3c95120.36.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.350683111.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.326866300.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4480, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected HawkEye Keylogger
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.28.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.20.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.29.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.45fa72.14.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.31.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.30.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.RegSvcs.exe.408208.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 72QC-GMI2022.exe PID: 996, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4480, type: MEMORYSTR
          Detected HawkEye Rat
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: 72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: RegSvcs.exe, 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
          Source: RegSvcs.exe, 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
          Source: RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
          Source: RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
          Source: RegSvcs.exe, 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
          Source: RegSvcs.exe, 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Replication Through Removable Media          		1
          Windows Management Instrumentation          		1
          Registry Run Keys / Startup Folder          		311
          Process Injection          		1
          Disable or Modify Tools          		1
          Input Capture          		1
          Peripheral Device Discovery          		1
          Replication Through Removable Media          		11
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Native API          		Boot or Logon Initialization Scripts1
          Registry Run Keys / Startup Folder          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory12
          System Information Discovery          		Remote Desktop Protocol1
          Input Capture          		Exfiltration Over Bluetooth11
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)31
          Obfuscated Files or Information          		Security Account Manager1
          Query Registry          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Remote Access Software          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
          Software Packing          		NTDS121
          Security Software Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer3
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets1
          Process Discovery          		SSHKeyloggingData Transfer Size Limits4
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common31
          Virtualization/Sandbox Evasion          		Cached Domain Credentials31
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items311
          Process Injection          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Hidden Files and Directories          		Proc Filesystem1
          System Network Configuration Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 601910 Sample: 72QC-GMI2022.exe Startdate: 02/04/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected HawkEye Rat 2->49 51 10 other signatures 2->51 8 72QC-GMI2022.exe 3 2->8         started        12 WindowsUpdate.exe 2 2->12         started        14 WindowsUpdate.exe 2->14         started        process3 file4 39 C:\Users\user\...\72QC-GMI2022.exe.log, ASCII 8->39 dropped 63 Writes to foreign memory regions 8->63 65 Injects a PE file into a foreign processes 8->65 16 RegSvcs.exe 16 5 8->16         started        21 RegSvcs.exe 8->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        signatures5 process6 dnsIp7 41 whatismyipaddress.com 104.16.155.36, 443, 49763, 49764 CLOUDFLARENETUS United States 16->41 43 192.168.2.1 unknown unknown 16->43 37 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 16->37 dropped 53 Changes the view of files in windows explorer (hidden files and folders) 16->53 55 Writes to foreign memory regions 16->55 57 Sample uses process hollowing technique 16->57 59 Injects a PE file into a foreign processes 16->59 27 vbc.exe 16->27         started        29 vbc.exe 16->29         started        31 WerFault.exe 17 9 16->31         started        61 May check the online IP address of the machine 21->61 file8 signatures9 process10 process11 33 WerFault.exe 3 9 27->33         started        35 WerFault.exe 22 9 29->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          72QC-GMI2022.exe60%VirustotalBrowse
          72QC-GMI2022.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          72QC-GMI2022.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\WindowsUpdate.exe0%VirustotalBrowse
          C:\Users\user\AppData\Roaming\WindowsUpdate.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\WindowsUpdate.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.RegSvcs.exe.400000.13.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.13.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.28.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.28.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.17.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.17.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.9.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.9.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.2.RegSvcs.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.5.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.5.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
          6.0.RegSvcs.exe.400000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
          6.0.RegSvcs.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          https://whatismyipaddress.com4dkDX0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          whatismyipaddress.com
          		104.16.155.36
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://whatismyipaddress.com/false
              		high
              http://whatismyipaddress.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.072QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersG72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThe72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://whatismyipaddress.comRegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://whatismyipaddress.com4dkDXRegSvcs.exe, 00000006.00000002.345920029.0000000002C5E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.kr72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.coml72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.cloudflare.com/5xx-error-landingRegSvcs.exe, 00000006.00000002.345965725.0000000002C89000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netD72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlN72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cThe72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htm72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.html72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://whatismyipaddress.com/-72QC-GMI2022.exe, 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/DPlease72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers872QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kr72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.site.com/logs.phpRegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.urwpp.deDPlease72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.nirsoft.net/RegSvcs.exe, 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cn72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name72QC-GMI2022.exe, 00000001.00000002.277966727.0000000003301000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000000.314031444.0000000002C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sakkal.com72QC-GMI2022.exe, 00000001.00000002.285015902.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.16.155.36
                                                		whatismyipaddress.comUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:601910
                                                Start date and time:2022-04-02 14:33:20 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 12m 41s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:72QC-GMI2022.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:35
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@16/19@2/2
                                                EGA Information:
                                                • Successful, ratio: 40%
                                                HDC Information:
                                                • Successful, ratio: 0.2% (good quality ratio 0.2%)
                                                • Quality average: 52.2%
                                                • Quality standard deviation: 40%
                                                HCA Information:
                                                • Successful, ratio: 99%
                                                • Number of executed functions: 100
                                                • Number of non-executed functions: 14
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.168.117.173, 20.189.173.20
                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                                • Execution Graph export aborted for target WindowsUpdate.exe, PID 5468 because it is empty
                                                • Execution Graph export aborted for target WindowsUpdate.exe, PID 6628 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:34:28API Interceptor1x Sleep call for process: 72QC-GMI2022.exe modified
                                                16:34:42API Interceptor4x Sleep call for process: RegSvcs.exe modified
                                                16:34:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                16:34:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                16:34:57API Interceptor3x Sleep call for process: WerFault.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.16.155.36Y4lA02GQNd.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                steg.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                TGQfHfehsY.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                ymOOyTtHBV.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                57poVaWCk4.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                CdHqfJlg4h.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                JYblFfoBHL.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                6WReJDfOQZ.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                MhyHClaiU8.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                ltEcJCMgSy.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                2NQJAJoj9w.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                SW0P9o9ksjpBsnr.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                5.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Hpdyv8oO3j.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                NEW PO.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                npdkUsrM4B.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                UMUNNA1.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Sample_B.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                PO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/
                                                Orders.exeGet hashmaliciousBrowse
                                                • whatismyipaddress.com/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                whatismyipaddress.com7.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                Y4lA02GQNd.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                steg.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Payment Slip.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                TGQfHfehsY.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                RIP_YOUR_PC_LOL.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                02132022769992.docGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                ymOOyTtHBV.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                57poVaWCk4.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                CdHqfJlg4h.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                JYblFfoBHL.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                6WReJDfOQZ.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                MhyHClaiU8.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                ltEcJCMgSy.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                2NQJAJoj9w.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                wi0o9r5lvB.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                SwqJN4RgIo.exeGet hashmaliciousBrowse
                                                • 104.16.154.36
                                                lgawpxELtj.exeGet hashmaliciousBrowse
                                                • 104.16.154.36

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSShipment Details - Couva 760P - SO 10169195.pdf.exeGet hashmaliciousBrowse
                                                • 188.114.96.7
                                                IN02672Q0583765NBOM.exeGet hashmaliciousBrowse
                                                • 188.114.96.7
                                                Priority Payment Advice.pdf.HtmGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                file.exeGet hashmaliciousBrowse
                                                • 188.114.97.7
                                                oZF5Kkn4wD.exeGet hashmaliciousBrowse
                                                • 188.114.96.7
                                                PI- PI04522748-pdf.exeGet hashmaliciousBrowse
                                                • 188.114.96.7
                                                SNAKKNUNU09876546790.exeGet hashmaliciousBrowse
                                                • 188.114.97.7
                                                Euu8RXSbVs.exeGet hashmaliciousBrowse
                                                • 188.114.97.7
                                                Bank Details 0001.exeGet hashmaliciousBrowse
                                                • 188.114.96.7
                                                http://denverurbanleague.orgGet hashmaliciousBrowse
                                                • 104.21.78.98
                                                https://docs.google.com/drawings/u/315717065153/d/1g6YkBpSaOJCHsm2VUu0vXZj4W5qx4KEWK9K9TNCBObs/previewGet hashmaliciousBrowse
                                                • 104.17.24.14
                                                4505682666.exeGet hashmaliciousBrowse
                                                • 104.21.60.208
                                                TGX.exeGet hashmaliciousBrowse
                                                • 104.27.99.86
                                                BF2.exeGet hashmaliciousBrowse
                                                • 104.17.25.14
                                                i586-20220401-2259Get hashmaliciousBrowse
                                                • 1.10.54.100
                                                V54382011.htmlGet hashmaliciousBrowse
                                                • 104.16.126.175
                                                https://tophelmet.org/spencerfane/of2Get hashmaliciousBrowse
                                                • 104.21.60.145
                                                https://2a9xo4.axshare.com/Get hashmaliciousBrowse
                                                • 104.17.129.171
                                                http://www.wteia.vaishalisales.com/#.4fkpdc5.aHR0cHM6Ly9pbnN0YW50dC5rZWVwLXBhc3N3b3JkLmNvbT9lPWNib3VleUBvbmVtZWRpY2FsLmNvbQ==Get hashmaliciousBrowse
                                                • 104.18.11.207
                                                Loader.exeGet hashmaliciousBrowse
                                                • 172.67.68.68

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                oZF5Kkn4wD.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                PI- PI04522748-pdf.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                SNAKKNUNU09876546790.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Euu8RXSbVs.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                TGX.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                PO08-9422.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                22041081517_20220329_16042903_HesapOzeti.pdf.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                PO- ZA2214756000899800 List Xls.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Puek66nEtT.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                PO Order RECEIPT.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                JXLiFN4rXk.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                J1iP4zusHy.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                V0T6A5FI9C.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                MsT9tWNbzo.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                xs5S2KzvK8.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                CLExSz9TxL.exeGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Releve__ID0021558503.vbsGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Releve__ID0021558501.vbsGet hashmaliciousBrowse
                                                • 104.16.155.36
                                                Orden De Compra.exeGet hashmaliciousBrowse
                                                • 104.16.155.36

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exedocuments.exeGet hashmaliciousBrowse
                                                  Swift-Copy.pdf.exeGet hashmaliciousBrowse
                                                    Outstanding-Payment.exeGet hashmaliciousBrowse
                                                      dMOchCT49B.exeGet hashmaliciousBrowse
                                                        vbc.exeGet hashmaliciousBrowse
                                                          Outstanding-Payment.exeGet hashmaliciousBrowse
                                                            MARCH SOA.exeGet hashmaliciousBrowse
                                                              SOA.exeGet hashmaliciousBrowse
                                                                Order329863.PDF.exeGet hashmaliciousBrowse
                                                                  POA.exeGet hashmaliciousBrowse
                                                                    Image 0002.exeGet hashmaliciousBrowse
                                                                      PR 11442066__S10-346-17 PROJECT__S10 (2).exeGet hashmaliciousBrowse
                                                                        kAotvGuQ7L.exeGet hashmaliciousBrowse
                                                                          z2U2Y8XSdS.exeGet hashmaliciousBrowse
                                                                            Payment Slip.exeGet hashmaliciousBrowse
                                                                              PR 11442066__S10-346-17 PROJECT__S10.exeGet hashmaliciousBrowse
                                                                                SOA.exeGet hashmaliciousBrowse
                                                                                  P.O.exeGet hashmaliciousBrowse
                                                                                    H1avcG0LSI.exeGet hashmaliciousBrowse
                                                                                      Soa.exeGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_17497f1c889cee8e9e12e73671f2844b60254d_8f25071a_11e63219\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.3072065102036208
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:jOkwhGGWHz6fdaPXUlXK8zIUGrI/u7sDS274Itly:iTwZz6fdascI/u7sDX4Itl
                                                                                        MD5:BC20123BEE86E5BCA1D5CFA0246DF9C4
                                                                                        SHA1:037C28AC398C6EDF151352CFE066236CE06726E5
                                                                                        SHA-256:376EB3EB6D7004A396A39188C406085AE892512B71E80A27434D832A912CF6FB
                                                                                        SHA-512:A0F7DA763C5F01BF29C39F4C67F1546D60EF1C80E1CD027065331DC1AA67CA5E5270C90D8C165B666C58ED3BC93D94AE8919C768E3225777233399D3B1826DA9
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.3.4.1.6.1.0.1.5.0.0.0.9.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.3.4.1.6.1.0.5.6.4.0.7.2.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.6.5.c.7.7.d.-.3.6.3.3.-.4.0.6.e.-.b.0.5.e.-.3.1.0.d.2.8.4.c.4.c.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.7.e.9.7.8.0.-.4.e.9.b.-.4.2.c.d.-.8.e.0.4.-.1.a.a.e.d.b.f.e.1.2.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.8.0.-.0.0.0.1.-.0.0.1.d.-.1.f.4.0.-.7.0.3.4.e.a.4.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vbc.exe_39b006ef503921872d2eda2d3a2d50cb9d2cd2_6c16ead4_0bd20dc9\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):0.6310697755276834
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:QqDRKDLoHBUZMXQf9jl/u7sDS274ItE7GDB:nDoD8BUZMXojl/u7sDX4ItEO
                                                                                        MD5:547D01CFB6630C3686680BE2CBC6FB74
                                                                                        SHA1:4A4737F113DA8E813857D975F45E7B9B08553F17
                                                                                        SHA-256:97208C1CAF3C6429AA626FFE405121A7BF046F9F35ABED978C891872A9677E40
                                                                                        SHA-512:89466B1657FAD35298052A1822EC401E48C51E1D7355CCB8D930F2CC20860A0E9C1D3B0203FB0DCB4805055B326C57ABE23EEDE7BE1A5699C00C403E541D35B8
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.3.4.1.6.0.9.3.5.1.0.2.7.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.3.4.1.6.0.9.6.1.1.9.6.3.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.0.7.e.e.5.b.-.2.f.0.0.-.4.4.6.6.-.a.1.e.4.-.3.b.3.e.c.f.9.1.7.e.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.a.c.a.5.7.b.-.e.c.4.a.-.4.d.4.5.-.8.d.9.d.-.4.9.8.5.1.2.b.e.7.4.a.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.d.8.-.0.0.0.1.-.0.0.1.d.-.7.7.6.b.-.a.9.3.c.e.a.4.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c...e.x.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vbc.exe_6dcc5cbe8da1ed53c9619daffec4e218d7867f_966227d3_0e220de8\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):0.6312691358240113
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:jLdyKUi2tSHBUZMXQf9jl/u7sDS274ItE7GD:1RUi2QBUZMXojl/u7sDX4ItEO
                                                                                        MD5:FA3DED54E409A88162EFF729F1F06AE3
                                                                                        SHA1:9091A81B5E255556F942487B5165B5827E8BC06D
                                                                                        SHA-256:ABBF969590667AA9EB121BAC7E84623EFEE712B6E0E8D10B19E47E3E63A72D1E
                                                                                        SHA-512:3B776927D676B961B8E3668A1B878AF1FB9D45BB63312AFE85FAA56F6D486BA6C95AA10AB25578256CD45F4DE02B9B75D3BF7F7BBD29F1B3E8800915733A6C4B
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.3.4.1.6.0.9.3.6.4.5.9.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.3.4.1.6.0.9.6.5.5.2.1.7.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.b.2.c.a.9.8.-.1.a.8.f.-.4.4.0.2.-.8.b.e.c.-.e.b.b.5.3.1.b.d.3.e.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.3.6.5.6.b.c.-.8.b.1.2.-.4.2.d.1.-.a.3.6.1.-.1.9.6.4.4.b.7.1.3.3.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.b.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.v.b.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.8.c.-.0.0.0.1.-.0.0.1.d.-.7.3.7.4.-.a.a.3.c.e.a.4.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.7.d.9.a.6.e.c.3.f.2.6.2.e.8.b.7.1.d.1.9.a.c.1.5.7.c.2.a.2.8.6.a.0.f.5.9.d.d.!.v.b.c...e.x.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC6.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Sat Apr 2 23:35:03 2022, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):431900
                                                                                        Entropy (8bit):3.8950580784079882
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:VywPw+p9gIOgF5QoelJNpener6sVNiz0G5cAuUCgU/fjd+pYg0JoOg/:XPwg9RpDQhfJczqTjApP0JG
                                                                                        MD5:10BD15AF321E2BF857F5AE3887FB78F8
                                                                                        SHA1:D00C26E824AD1D811AEFAC6130F4DD7C3C101094
                                                                                        SHA-256:D803BC743DE3FCFDC8CC08A62844F9BCB2F138026677C86B65A0C05A5BCE431A
                                                                                        SHA-512:6CA353FE9DB9BB0E741069965AD543618FA66B431A33DBC3BD4ECC8B3BECE7781DA1D00A958B22E56C3DCB03A82634BD71FD6C2D2474E039EFAE5FF06F4108CC
                                                                                        Malicious:false
                                                                                        Preview:MDMP....... .........Hb.........................%..........<...80.......@...u..........`.......8...........T............e..,1..........t0..........`2...................................................................U...........B.......2......GenuineIntelW...........T.............Hb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2912.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8260
                                                                                        Entropy (8bit):3.689266584041957
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:Rrl7r3GLNis4616Y8P6v/gmf2NSICpDP89bVtsfXkbnm:RrlsNib616Ys6Xgmf4SIVmfX9
                                                                                        MD5:2C7E1E9F70E26C250A1CB32FE19201AB
                                                                                        SHA1:86537EF4BDEA67FD0BF285C080AA57E2B497A44A
                                                                                        SHA-256:1BE9EAF17D073619A040283829B7352E5896E1376F159A82A2DF460935B2CDE7
                                                                                        SHA-512:E7B99A8A464F60CC704984808BC9C50EFF91B73C7045BC806FC14F1B7F898F7299546212E179F86B5C6DC635F1CE7FD2A7B9D99C56CCF7F2BBC6631F13772AE1
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.8.0.<./.P.i.d.>.......

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B45.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4612
                                                                                        Entropy (8bit):4.436600218288449
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwSD8zskJgtWI9guWgc8sqYjd8fm8M4JE/uFt+q8yxOP7Ld:uITfi3PgrsqYGJIqRwP7Ld
                                                                                        MD5:E2A7AECE6E9FD8ED356E2295E239D4A2
                                                                                        SHA1:7F85EAEE80EE4A4711261D214BC68785F2F1B85B
                                                                                        SHA-256:5AC17487428D2DE502FC746EF421BBD0AD65C54933D2E40D956CE9BFED89FB74
                                                                                        SHA-512:735C65ABEBF6EA7B13C60AE1DE1EE4BB4C424B98CFEBFF90830AFA63BFFCB4CF9BCCBFEEE3208A9D86EE37343870A5A8B984B7EE7500F49A2FC38D208C930306
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1454925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER369.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8302
                                                                                        Entropy (8bit):3.6974271026283385
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:Rrl7r3GLNi/F65svCe6Y8R6ngmf5eSQCprL89bRjsfb0v7m:RrlsNit6+j6YS6ngmfcSURIfbt
                                                                                        MD5:86EF904B143720DBC06C1392A534F219
                                                                                        SHA1:A97F0552CEE8C4A6388C52F411C6B6DAE1D8261C
                                                                                        SHA-256:346FC50332CD14641E43206729F2D088C223A5DBF14D0E854DF99FB247C7AF23
                                                                                        SHA-512:612BBC5E0FBD42A73433D7710DB4675B3F0C72D97E767169053F9517A535AB17B1B70553394A5964ABEB3F91CFAAC2DDED881F42A11A1DE22D9558AB64FC875F
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.<./.P.i.d.>.........

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER425.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8304
                                                                                        Entropy (8bit):3.6995984698658817
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:Rrl7r3GLNiCS63I6Y8W6ngmf5QSQCpr189bIBsf74m:RrlsNiX646YV6ngmfqSaI6fx
                                                                                        MD5:DEB1FEA70D05812F513158A5DBACD624
                                                                                        SHA1:435796863B591E9B47ACFF58118E263B457D52D7
                                                                                        SHA-256:F6C1994DF91861B4EC395465EFF0DA7BB0D45072D716603E41317C059BD34B01
                                                                                        SHA-512:9DFE6A0D7BF368E046E9F5A1155C5FF74874B7916AD2C6F7B9D103E2E10C113D2F7D18BF81B948E91E2EF433F2AEF01027ECA2023420EC8D094E245C6B5761DE
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.2.8.<./.P.i.d.>.......

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CC.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4644
                                                                                        Entropy (8bit):4.47793156444566
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwSD8zskJgtWI9guWgc8sqYjC8fm8M4JlRZFp+q8VB1lMSGd:uITfi3PgrsqYLJn9E1lTGd
                                                                                        MD5:B7554A4B4E87CA207701C3ADC2B24596
                                                                                        SHA1:4EDB55AA459E423058E6766EBB8A78C915DB0FAB
                                                                                        SHA-256:8412F8CC51B110DD537F79E6A784F6B76813B286C08A8C42A398E1F0D28DCC3C
                                                                                        SHA-512:5B62B074A0B57387099FF6309BCD9CFB20C54B9E57780FE84DB73E907D475C8A4DE6EE941CA4A328E6913F8F2644E37B77CB3A9CA9FE20C8E17D3DADADAEE6DA
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1454925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER781.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4644
                                                                                        Entropy (8bit):4.477615849226099
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwSD8zskJgtWI9guWgc8sqYju8fm8M4JzRZFB+q8jB2lu5ntd:uITfi3PgrsqYXJ1Ni2lu5ntd
                                                                                        MD5:DA904DC63D36982FB780EA2D87D81FA2
                                                                                        SHA1:A469D051E4F772C1D1E8470CAC5F1F0979E75AAB
                                                                                        SHA-256:F3C1B2AF52F894C28D9CC2AC4529BF5D396B06B4710841D7185355E3516E8ADD
                                                                                        SHA-512:64D3D89DC79E91E015E0016EA93933B01D3EEBA346788D92ABD2E8ED2BEF729E3FA4728F602A2CD3A114863053734C3EDEB777761AFC04515F1ED2F6CD4A296D
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1454925" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE86.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 14 streams, Sat Apr 2 23:34:54 2022, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):17362
                                                                                        Entropy (8bit):2.1536984804805637
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:5T8b8D/xC4Zwxci7wtTzwXRKywuFDB5bkWInWIXmI4Q:Kcx4eOUUNxDB5bbQ
                                                                                        MD5:47B122A6457ED34F294248B8294F759A
                                                                                        SHA1:3B9D07C855EE6BAFF7CCB6CF52A65109003EEC76
                                                                                        SHA-256:21FA739078A7B968AA3603E4D0DD7A764577A131A9020A138AEB7F5B35093EDB
                                                                                        SHA-512:32520CA384F5BAAC8EF542CE277764A2B3BB54C1B448BB76BDCCF63EDD441A7187FB1D278985C229019AFDBD07571F7A5108122AC1205C8668D2161AA9912CB7
                                                                                        Malicious:false
                                                                                        Preview:MDMP....... .........Hb............4...............<.......D...~...........T.......8...........T...........h...j<...........................................................................................U...........B......t.......GenuineIntelW...........T.............Hb.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF13.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 14 streams, Sat Apr 2 23:34:54 2022, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):17362
                                                                                        Entropy (8bit):2.1535700561933995
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:5T858D//Pgl1Pi7wqAlhwfRCywuBN356lyWI/WIXmIQ/S:Ky/OPOGwdVN35Oh/
                                                                                        MD5:A12A8316E6FC1E437699332CF051B306
                                                                                        SHA1:A66470750420C91EA0D40830304122A07B736E68
                                                                                        SHA-256:E4518E99DCE698061C701B6F60F3E00C1C12D3D003A54195FD6D3C2C37C3B552
                                                                                        SHA-512:3AB68324321F4547CDAAFC2E35460750D38F0C85397239EB1178C5C5D1CAE73225E0DA996E12E852401FB52510A0AD5DB806264F32811A6B05737FDF28983FB3
                                                                                        Malicious:false
                                                                                        Preview:MDMP....... .........Hb............4...............<.......D...~...........T.......8...........T...........h...j<...........................................................................................U...........B......t.......GenuineIntelW...........T.............Hb.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\72QC-GMI2022.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\72QC-GMI2022.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1314
                                                                                        Entropy (8bit):5.350128552078965
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):142
                                                                                        Entropy (8bit):5.090621108356562
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                        C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):45152
                                                                                        Entropy (8bit):6.149629800481177
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                        MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: documents.exe, Detection: malicious, Browse
                                                                                        • Filename: Swift-Copy.pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: Outstanding-Payment.exe, Detection: malicious, Browse
                                                                                        • Filename: dMOchCT49B.exe, Detection: malicious, Browse
                                                                                        • Filename: vbc.exe, Detection: malicious, Browse
                                                                                        • Filename: Outstanding-Payment.exe, Detection: malicious, Browse
                                                                                        • Filename: MARCH SOA.exe, Detection: malicious, Browse
                                                                                        • Filename: SOA.exe, Detection: malicious, Browse
                                                                                        • Filename: Order329863.PDF.exe, Detection: malicious, Browse
                                                                                        • Filename: POA.exe, Detection: malicious, Browse
                                                                                        • Filename: Image 0002.exe, Detection: malicious, Browse
                                                                                        • Filename: PR 11442066__S10-346-17 PROJECT__S10 (2).exe, Detection: malicious, Browse
                                                                                        • Filename: kAotvGuQ7L.exe, Detection: malicious, Browse
                                                                                        • Filename: z2U2Y8XSdS.exe, Detection: malicious, Browse
                                                                                        • Filename: Payment Slip.exe, Detection: malicious, Browse
                                                                                        • Filename: PR 11442066__S10-346-17 PROJECT__S10.exe, Detection: malicious, Browse
                                                                                        • Filename: SOA.exe, Detection: malicious, Browse
                                                                                        • Filename: P.O.exe, Detection: malicious, Browse
                                                                                        • Filename: H1avcG0LSI.exe, Detection: malicious, Browse
                                                                                        • Filename: Soa.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                                        C:\Users\user\AppData\Roaming\pid.txt

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4
                                                                                        Entropy (8bit):1.5
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:nn:n
                                                                                        MD5:34F9A343F945196B66F807E0EB6249FD
                                                                                        SHA1:A694CE2F09496848B3202E9A60E66DDABD9675B6
                                                                                        SHA-256:CB75A48046C21183CC0FC8E09657A712194966D7D21D2C9C21C52A09DF0FFE82
                                                                                        SHA-512:4FF93A068FB4CFB169A3FD9C85F7065D14A1AAF776E918942921DB600FFE4FBBF88CBD1C4973D8FE54553695D9F3A2656108D6194832155D2D04135B68C8B076
                                                                                        Malicious:false
                                                                                        Preview:4480

                                                                                        C:\Users\user\AppData\Roaming\pidloc.txt

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):57
                                                                                        Entropy (8bit):4.830795005765378
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                                                                                        MD5:08E799E8E9B4FDA648F2500A40A11933
                                                                                        SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                                                                                        SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                                                                                        SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                                                                                        Malicious:false
                                                                                        Preview:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

                                                                                        \Device\ConDrv

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1141
                                                                                        Entropy (8bit):4.44831826838854
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                        MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                        SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                        SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                        SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                        Malicious:false
                                                                                        Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.826698806988846
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:72QC-GMI2022.exe
                                                                                        File size:788480
                                                                                        MD5:de8a8f710f5bfdacbc1843b997741b86
                                                                                        SHA1:3abf5d61febd54753055bb2707853ea2eace025a
                                                                                        SHA256:f97f876b529e2569d80b1190a249088582117b29aef9af9d8a0e992c2df2db2d
                                                                                        SHA512:860e66fabedb56ea4337fed8439ea05f6d01c3ae57e5e3ac79a937ad964cf77cfb35ed4b4cdc84bdb548067a2d8685aa79fa1ae3aca30e9dbcf71bd7f1e7913b
                                                                                        SSDEEP:12288:0weOS9PfObujtx3NmAeRnDzKOuVjujtgsPGtJPps9uvIrwKafPTAHNacDG7UDPR:m93Out7mAeRDuOuYwJPpmcjAtac67UD
                                                                                        TLSH:F2F401ABC3F9AF1BD48F02391420892B3FF0E8D3B620D559FE4615F999AB79A0444753
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.Fb..............P.................. ... ....@.. .......................`............@................................

                                                                                        File Icon

                                                                                        Icon Hash:00828e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4c1cca
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x6246F339 [Fri Apr 1 12:42:33 2022 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add dword ptr [eax], eax
                                                                                        add byte ptr [ecx], al
                                                                                        add dword ptr [eax], eax
                                                                                        add byte ptr [eax], al
                                                                                        add dword ptr [ecx], eax
                                                                                        add dword ptr [eax], eax
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        call far B999h : 99999999h
                                                                                        aas
                                                                                        jnp 00007F0C6074E736h
                                                                                        scasb
                                                                                        inc edi
                                                                                        loope 00007F0C6074E79Ch
                                                                                        xchg eax, esp
                                                                                        aas
                                                                                        call far B999h : 99999999h
                                                                                        aas
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc1c780x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x5c4.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xbfcf80xbfe00False0.910877697476data7.83370969274IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xc20000x5c40x600False0.424479166667data4.1237218493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xc40000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_VERSION0xc20900x334data
                                                                                        RT_MANIFEST0xc23d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightCopyright 2016
                                                                                        Assembly Version1.0.0.0
                                                                                        InternalNameo0Er0.exe
                                                                                        FileVersion1.0.0.0
                                                                                        CompanyName
                                                                                        LegalTrademarks
                                                                                        Comments
                                                                                        ProductNameWindowsApplication1
                                                                                        ProductVersion1.0.0.0
                                                                                        FileDescriptionWindowsApplication1
                                                                                        OriginalFilenameo0Er0.exe

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Apr 2, 2022 16:34:41.309788942 CEST4976380192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.325750113 CEST8049763104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.325869083 CEST4976380192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.326762915 CEST4976380192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.342480898 CEST8049763104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.353364944 CEST8049763104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.385445118 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.385490894 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.386241913 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.417290926 CEST4976380192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.436574936 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.436630964 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.486257076 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.487849951 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.489974022 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.489994049 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.490333080 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.573662043 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.819348097 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.862231970 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865211010 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865319967 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865390062 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.865401030 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865423918 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865530014 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865597010 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865633011 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.865653992 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865690947 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.865717888 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865789890 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865855932 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865869045 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.865883112 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.865920067 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.866028070 CEST44349764104.16.155.36192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.866183043 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:34:41.872102022 CEST49764443192.168.2.3104.16.155.36
                                                                                        Apr 2, 2022 16:35:12.926043034 CEST4976380192.168.2.3104.16.155.36

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Apr 2, 2022 16:34:41.257026911 CEST6354853192.168.2.38.8.8.8
                                                                                        Apr 2, 2022 16:34:41.278702021 CEST53635488.8.8.8192.168.2.3
                                                                                        Apr 2, 2022 16:34:41.363240004 CEST4932753192.168.2.38.8.8.8
                                                                                        Apr 2, 2022 16:34:41.382637024 CEST53493278.8.8.8192.168.2.3

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Apr 2, 2022 16:34:41.257026911 CEST192.168.2.38.8.8.80x606bStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                        Apr 2, 2022 16:34:41.363240004 CEST192.168.2.38.8.8.80x77ffStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Apr 2, 2022 16:34:41.278702021 CEST8.8.8.8192.168.2.30x606bNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                        Apr 2, 2022 16:34:41.278702021 CEST8.8.8.8192.168.2.30x606bNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                        Apr 2, 2022 16:34:41.382637024 CEST8.8.8.8192.168.2.30x77ffNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                        Apr 2, 2022 16:34:41.382637024 CEST8.8.8.8192.168.2.30x77ffNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                                                        HTTP Request Dependency Graph

                                                                                        • whatismyipaddress.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        0192.168.2.349764104.16.155.36443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        TimestampkBytes transferredDirectionData


                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        1192.168.2.349763104.16.155.3680C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        Apr 2, 2022 16:34:41.326762915 CEST1134OUTGET / HTTP/1.1
                                                                                        Host: whatismyipaddress.com
                                                                                        Connection: Keep-Alive
                                                                                        Apr 2, 2022 16:34:41.353364944 CEST1135INHTTP/1.1 301 Moved Permanently
                                                                                        Date: Sat, 02 Apr 2022 14:34:41 GMT
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Cache-Control: max-age=3600
                                                                                        Expires: Sat, 02 Apr 2022 15:34:41 GMT
                                                                                        Location: https://whatismyipaddress.com/
                                                                                        Set-Cookie: __cf_bm=6WLP64lj79qCdFXXFK.s_QvHKk64cwJb_ZsOfOnVBVE-1648910081-0-AZPmw3+FecSptzpkPnjUOsWN+gtHgKi83CCJrg6+gBy5AAvnmp59It/f7DaGuN3r8tC4j1EoJ8bbACHpkBKeeBI=; path=/; expires=Sat, 02-Apr-22 15:04:41 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 6f5a49685d795c56-FRA
                                                                                        alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                        0192.168.2.349764104.16.155.36443C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        TimestampkBytes transferredDirectionData
                                                                                        2022-04-02 14:34:41 UTC0OUTGET / HTTP/1.1
                                                                                        Host: whatismyipaddress.com
                                                                                        Connection: Keep-Alive
                                                                                        2022-04-02 14:34:41 UTC0INHTTP/1.1 403 Forbidden
                                                                                        Date: Sat, 02 Apr 2022 14:34:41 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        CF-Chl-Bypass: 1
                                                                                        Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                        Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                        Set-Cookie: __cf_bm=iSuLMgkCj210RA6VjTF.Vym6s_NAMvyb_k6WTeMPLIM-1648910081-0-AYTNdng45DS8+GTSaAdVhmtPzoqJo2Yq7GJk4+qSK7ueiMK8qNs13S1EJ7jL5Ph5ye0IxzhCNt+kZPqNx1doDL8=; path=/; expires=Sat, 02-Apr-22 15:04:41 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 6f5a496b7c1e68e9-FRA
                                                                                        alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                        2022-04-02 14:34:41 UTC1INData Raw: 33 33 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                        Data Ascii: 339d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                        2022-04-02 14:34:41 UTC1INData Raw: 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 50 6c 65 61 73 65 20 57 61 69 74 2e 2e 2e 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 69 64 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22
                                                                                        Data Ascii: o-js" lang="en-US"> ...<![endif]--><head><title>Please Wait... | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="
                                                                                        2022-04-02 14:34:41 UTC2INData Raw: 47 7a 4e 42 7a 30 22 2c 0a 20 20 20 20 20 20 20 20 63 46 50 57 76 3a 20 22 62 22 2c 0a 20 20 20 20 20 20 20 20 63 54 54 69 6d 65 4d 73 3a 20 22 31 30 30 30 22 2c 0a 20 20 20 20 20 20 20 20 63 4c 74 3a 20 22 6e 22 2c 0a 20 20 20 20 20 20 20 20 63 52 71 3a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 72 75 3a 20 22 61 48 52 30 63 48 4d 36 4c 79 39 33 61 47 46 30 61 58 4e 74 65 57 6c 77 59 57 52 6b 63 6d 56 7a 63 79 35 6a 62 32 30 76 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 61 3a 20 22 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 6d 3a 20 22 52 30 56 55 22 2c 0a 20 20 20 20 20 20 20 20 20 20 64 3a 20 22 58 5a 74 4e 45 49 64 57 6c 78 55 49 55 69 72 35 7a 54 56 68 4c 6a 30 46 67 5a 41 64 4c 70 53 4a 7a 61 4a 35 65 2b 58 73 6b 34 34 38 48 6b 73 49 30 52 45 41 32 35 70
                                                                                        Data Ascii: GzNBz0", cFPWv: "b", cTTimeMs: "1000", cLt: "n", cRq: { ru: "aHR0cHM6Ly93aGF0aXNteWlwYWRkcmVzcy5jb20v", ra: "", rm: "R0VU", d: "XZtNEIdWlxUIUir5zTVhLj0FgZAdLpSJzaJ5e+Xsk448HksI0REA25p
                                                                                        2022-04-02 14:34:41 UTC4INData Raw: 3a 36 39 70 78 3b 20 6d 61 72 67 69 6e 3a 20 20 61 75 74 6f 3b 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 70 6c 65 61 73 65 2d 77 61 69 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 20 20 2e 61 74 74 72 69 62 75 74 69 6f 6e 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 32 70 78 3b 7d 0a 20 20 2e 62 75 62 62 6c 65 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 38 32 32 30 3b 20 77 69 64 74 68 3a 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 32 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 25 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66
                                                                                        Data Ascii: :69px; margin: auto;} #cf-wrapper #cf-please-wait{text-align:center} .attribution {margin-top: 32px;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } #cf-wrapper #challenge-f
                                                                                        2022-04-02 14:34:41 UTC5INData Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 20 63 66 2d 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 68 69 67 68 6c 69 67 68 74 2d 69 6e 76 65 72 73 65 20 63 66 2d 66 6f 72 6d 2d 73 74 61 63 6b 65 64
                                                                                        Data Ascii: <div class="cf-section cf-highlight cf-captcha-container"> <div class="cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <div class="cf-highlight-inverse cf-form-stacked
                                                                                        2022-04-02 14:34:41 UTC6INData Raw: 32 47 32 76 4a 58 6b 48 4c 5f 59 72 34 70 58 6c 7a 79 31 43 6b 49 76 65 75 44 61 72 36 52 57 64 6c 67 4c 5a 7a 34 36 50 41 33 4d 4d 53 59 41 33 54 53 45 6d 55 5f 64 59 55 49 56 46 67 35 30 78 6c 6c 6f 36 65 6e 66 6d 6c 39 56 7a 33 56 68 35 59 33 5a 31 76 72 4c 49 38 4b 39 6f 37 35 72 79 6c 58 32 67 4a 2d 49 4c 42 71 74 79 56 30 45 76 79 4c 43 65 72 57 73 62 47 62 69 32 4d 4e 76 71 79 70 58 48 65 6d 51 59 73 65 36 31 55 4c 6a 54 37 48 41 70 6e 77 4d 51 74 76 67 6f 63 61 6f 79 31 39 5f 58 37 4b 4a 31 66 30 45 64 56 59 49 42 55 32 47 4b 74 54 68 49 65 5a 75 57 4f 74 54 67 41 41 42 53 45 35 53 35 78 79 35 6b 6a 6e 6c 66 6e 43 33 57 49 47 4c 75 35 37 6c 45 6f 43 67 35 72 79 43 59 55 4b 69 69 39 42 37 59 66 36 54 61 5a 4a 6a 61 7a 36 36 6c 72 64 38 43 34 72 64
                                                                                        Data Ascii: 2G2vJXkHL_Yr4pXlzy1CkIveuDar6RWdlgLZz46PA3MMSYA3TSEmU_dYUIVFg50xllo6enfml9Vz3Vh5Y3Z1vrLI8K9o75rylX2gJ-ILBqtyV0EvyLCerWsbGbi2MNvqypXHemQYse61ULjT7HApnwMQtvgocaoy19_X7KJ1f0EdVYIBU2GKtThIeZuWOtTgAABSE5S5xy5kjnlfnC3WIGLu57lEoCg5ryCYUKii9B7Yf6TaZJjaz66lrd8C4rd
                                                                                        2022-04-02 14:34:41 UTC8INData Raw: 30 70 4b 64 65 71 6c 67 64 37 77 79 53 6b 57 4f 51 65 31 34 62 62 4d 56 34 41 71 44 68 6b 6d 51 41 32 6b 53 58 4b 66 37 72 54 37 44 63 41 37 4d 52 39 74 4e 4b 52 48 64 39 57 57 2f 55 6f 44 54 4c 70 47 47 75 79 4f 50 35 38 2f 45 4e 4f 63 6e 2b 41 6e 34 51 71 78 5a 4f 33 6a 35 55 63 4b 53 41 71 75 58 5a 44 6b 4d 5a 79 75 72 32 57 6a 6f 49 65 6c 4c 47 51 6c 4c 52 77 7a 77 54 6e 67 33 4e 4a 47 6f 62 35 59 4f 72 73 6c 65 39 68 64 4f 52 6a 67 77 4a 39 53 61 47 47 71 57 56 4d 6c 76 67 4a 74 38 71 63 77 41 2f 41 47 35 36 6d 4c 65 39 6a 58 2b 34 65 69 36 65 47 49 78 48 50 35 39 76 51 31 41 59 69 66 67 4b 73 6e 42 38 4c 37 68 74 34 70 6e 47 48 47 2f 65 6b 4a 4e 4e 52 78 71 4c 52 37 6d 4e 5a 44 38 6c 56 31 58 62 34 57 57 43 70 51 64 63 34 64 6a 4c 39 61 79 35 79 65
                                                                                        Data Ascii: 0pKdeqlgd7wySkWOQe14bbMV4AqDhkmQA2kSXKf7rT7DcA7MR9tNKRHd9WW/UoDTLpGGuyOP58/ENOcn+An4QqxZO3j5UcKSAquXZDkMZyur2WjoIelLGQlLRwzwTng3NJGob5YOrsle9hdORjgwJ9SaGGqWVMlvgJt8qcwA/AG56mLe9jX+4ei6eGIxHP59vQ1AYifgKsnB8L7ht4pnGHG/ekJNNRxqLR7mNZD8lV1Xb4WWCpQdc4djL9ay5ye
                                                                                        2022-04-02 14:34:41 UTC9INData Raw: 6c 65 61 73 65 20 74 75 72 6e 20 4a 61 76 61 53 63 72 69 70 74 20 6f 6e 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 68 31 3e 0a 20 20 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6e 6f 2d 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 63 6c 61 73 73 3d 22 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 43
                                                                                        Data Ascii: lease turn JavaScript on and reload the page.</h1> </noscript> <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none"> <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable C
                                                                                        2022-04-02 14:34:41 UTC10INData Raw: 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 72 6b 6a 73 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 63 70 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 62 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 6d 61 6e 61 67 65 64 2f 76 31 3f 72 61 79 3d 36 66 35 61 34 39 36 62 37 63 31 65 36 38 65 39 22 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70
                                                                                        Data Ascii: document.body.appendChild(trkjs); var cpo=document.createElement('script'); cpo.type='text/javascript'; cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/managed/v1?ray=6f5a496b7c1e68e9"; window._cf_chl_op
                                                                                        2022-04-02 14:34:41 UTC12INData Raw: 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 64 65 74 61 69 6c
                                                                                        Data Ascii: ="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate="why_captcha_detail
                                                                                        2022-04-02 14:34:41 UTC13INData Raw: 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 59 6f 75 72 20 49 50 3c 2f 73 70 61 6e 3e 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 36 37 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73
                                                                                        Data Ascii: an> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 102.129.143.67</span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item s
                                                                                        2022-04-02 14:34:41 UTC14INData Raw: 30 0d 0a 0d 0a
                                                                                        Data Ascii: 0


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:16:34:17
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Users\user\Desktop\72QC-GMI2022.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\72QC-GMI2022.exe"
                                                                                        Imagebase:0xf70000
                                                                                        File size:788480 bytes
                                                                                        MD5 hash:DE8A8F710F5BFDACBC1843B997741B86
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.282229067.0000000004D8B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:low

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:16:34:31
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:{path}
                                                                                        Imagebase:0x2e0000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:16:34:32
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:{path}
                                                                                        Imagebase:0x9a0000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.317745543.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.352893302.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000000.328842205.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.352866498.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.326736437.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.345972644.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.307445301.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000000.328851299.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.350683111.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000000.320764798.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.321676304.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.350595876.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.317681951.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000002.344165161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.323404042.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000000.320800565.0000000007C50000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.275640150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.275308799.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.326866300.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.274878371.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.274561690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000006.00000000.315151249.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:16:34:46
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                                                                                        Imagebase:0x400000
                                                                                        File size:1171592 bytes
                                                                                        MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:16:34:46
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                                                                                        Imagebase:0x400000
                                                                                        File size:1171592 bytes
                                                                                        MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:16:34:50
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 176
                                                                                        Imagebase:0x3c0000
                                                                                        File size:434592 bytes
                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:16:34:50
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 176
                                                                                        Imagebase:0x3c0000
                                                                                        File size:434592 bytes
                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:16:34:52
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                                                                        Imagebase:0xcd0000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, Virustotal, Browse
                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:23
                                                                                        Start time:16:34:53
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7c9170000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:16:35:00
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2660
                                                                                        Imagebase:0x3c0000
                                                                                        File size:434592 bytes
                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:26
                                                                                        Start time:16:35:00
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
                                                                                        Imagebase:0x4e0000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        General

                                                                                        Target ID:27
                                                                                        Start time:16:35:01
                                                                                        Start date:02/04/2022
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7c9170000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:11.3%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:3%
                                                                                          Total number of Nodes:99
                                                                                          Total number of Limit Nodes:5
                                                                                          execution_graph 31088 17fd01c 31089 17fd034 31088->31089 31090 17fd08e 31089->31090 31095 185db14 31089->31095 31099 185e0d0 31089->31099 31104 185e0c0 31089->31104 31110 185e1f0 31089->31110 31096 185db1f 31095->31096 31114 185db4c 31096->31114 31098 185e207 31098->31090 31103 185e130 SetWindowLongW 31099->31103 31100 185e0f6 31101 185db14 SetWindowLongW 31100->31101 31102 185e102 31101->31102 31102->31090 31103->31100 31105 185e0d0 31104->31105 31109 185e130 SetWindowLongW 31105->31109 31106 185e0f6 31107 185db14 SetWindowLongW 31106->31107 31108 185e102 31107->31108 31108->31090 31109->31106 31111 185e200 31110->31111 31112 185db4c SetWindowLongW 31111->31112 31113 185e207 31112->31113 31113->31090 31116 185db57 31114->31116 31115 185e459 31116->31115 31118 185e130 31116->31118 31121 185db34 31118->31121 31122 185e160 SetWindowLongW 31121->31122 31123 185e148 31122->31123 31123->31115 31074 1856a50 GetCurrentProcess 31075 1856ac3 31074->31075 31076 1856aca GetCurrentThread 31074->31076 31075->31076 31077 1856b07 GetCurrentProcess 31076->31077 31078 1856b00 31076->31078 31079 1856b3d 31077->31079 31078->31077 31083 1857009 31079->31083 31080 1856b65 GetCurrentThreadId 31081 1856b96 31080->31081 31084 1857012 31083->31084 31085 185707a DuplicateHandle 31083->31085 31084->31080 31087 1857116 31085->31087 31087->31080 31070 185df18 31071 185df80 CreateWindowExW 31070->31071 31073 185e03c 31071->31073 31124 1856668 31125 1856669 31124->31125 31129 185678f 31125->31129 31134 18566c8 31125->31134 31126 1856689 31130 1856794 31129->31130 31131 18567f9 31130->31131 31139 1856928 31130->31139 31143 1856938 31130->31143 31131->31126 31135 18566ce 31134->31135 31136 18567f9 31135->31136 31137 1856928 2 API calls 31135->31137 31138 1856938 2 API calls 31135->31138 31136->31126 31137->31136 31138->31136 31141 1856945 31139->31141 31140 185697f 31140->31131 31141->31140 31147 185639c 31141->31147 31144 1856945 31143->31144 31145 185639c 2 API calls 31144->31145 31146 185697f 31144->31146 31145->31146 31146->31131 31148 18563a7 31147->31148 31150 1857678 31148->31150 31151 1856c9c 31148->31151 31150->31150 31152 1856ca7 31151->31152 31156 185b6b0 31152->31156 31162 185b6c8 31152->31162 31153 1857720 31153->31150 31157 185b635 31156->31157 31158 185b6be 31156->31158 31157->31153 31159 185b705 31158->31159 31168 185ba00 31158->31168 31172 185ba10 31158->31172 31159->31153 31164 185b746 31162->31164 31165 185b6f9 31162->31165 31163 185b705 31163->31153 31164->31153 31165->31163 31166 185ba00 2 API calls 31165->31166 31167 185ba10 2 API calls 31165->31167 31166->31164 31167->31164 31169 185ba10 31168->31169 31175 185ba50 31169->31175 31170 185ba1a 31170->31159 31174 185ba50 2 API calls 31172->31174 31173 185ba1a 31173->31159 31174->31173 31176 185ba73 31175->31176 31177 185ba8b 31176->31177 31183 185bcd8 31176->31183 31187 185bce8 31176->31187 31177->31170 31178 185ba83 31178->31177 31179 185bc88 GetModuleHandleW 31178->31179 31180 185bcb5 31179->31180 31180->31170 31184 185bce8 31183->31184 31185 185bd21 31184->31185 31191 185a998 31184->31191 31185->31178 31188 185bcfc 31187->31188 31189 185bd21 31188->31189 31190 185a998 LoadLibraryExW 31188->31190 31189->31178 31190->31189 31192 185bec8 LoadLibraryExW 31191->31192 31194 185bf41 31192->31194 31194->31185

                                                                                          Executed Functions

                                                                                          Function 07C86628 Relevance: .7, Instructions: 721COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 618031c1a6c105b9110b57d4b70f61bee8c3e2a28219d9594369ef4f72408087
                                                                                          • Instruction ID: cc4b9458bfca25cfdc41d0c46218358d73a56eea830fb139ca4798f081cf19b1
                                                                                          • Opcode Fuzzy Hash: 618031c1a6c105b9110b57d4b70f61bee8c3e2a28219d9594369ef4f72408087
                                                                                          • Instruction Fuzzy Hash: 845281B1B00115DFCB54EF69C488A6DB7B2FF85318B158169E806EB365DB31ED41CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8A4B8 Relevance: .7, Instructions: 662COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99325b4afd30dc8e36f19c05cff0e86dad4fd998c4b5e9a3c91d5bc9c153b366
                                                                                          • Instruction ID: d790ecdbed2f2830ac242ad2e1ea38d2a5f3f1cf00b9ea868e923f8e2a0a8265
                                                                                          • Opcode Fuzzy Hash: 99325b4afd30dc8e36f19c05cff0e86dad4fd998c4b5e9a3c91d5bc9c153b366
                                                                                          • Instruction Fuzzy Hash: 7E3204B4B04256CFDB64AB65C88467E7BF2EF85208F16C06AD8469B354CF34DD41CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C83A80 Relevance: .5, Instructions: 515COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ea43af40e53f4360824e2e7a506450eafc1154dbddc22ac3e5068636058de665
                                                                                          • Instruction ID: 1cdf349b61dfb1af9f42775aa5b69bf5758e0314fde9e211af23c5ceeb0c50f3
                                                                                          • Opcode Fuzzy Hash: ea43af40e53f4360824e2e7a506450eafc1154dbddc22ac3e5068636058de665
                                                                                          • Instruction Fuzzy Hash: 0912A0B0A0015A9FCB14DF65C894AAEBBF6BF88308F158169E906DB394DF34DD41CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185DB4C Relevance: .2, Instructions: 233COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7a5bc28be84aa9f8d806a1b191458dcb44fe8a1bfea32d7473f45702d8a621e1
                                                                                          • Instruction ID: 4c0abed59079e61c31fdc66ca2bf26ed1607f2188bccd7d2b3b1083fe3c690fb
                                                                                          • Opcode Fuzzy Hash: 7a5bc28be84aa9f8d806a1b191458dcb44fe8a1bfea32d7473f45702d8a621e1
                                                                                          • Instruction Fuzzy Hash: B0919335E003198FCB04DFA4D8549EDBBBAFF89304F158615E515AB3A4EB30AA89CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185E212 Relevance: .2, Instructions: 196COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 27dba6b1f1bc3e7726ecbf43de29218eaf61346b49bb71b604c79d18a408b906
                                                                                          • Instruction ID: f4d9bc30d4a2ae0fa63f452d76c34432fc92cd344d24d4e2f5a34e3b0691d650
                                                                                          • Opcode Fuzzy Hash: 27dba6b1f1bc3e7726ecbf43de29218eaf61346b49bb71b604c79d18a408b906
                                                                                          • Instruction Fuzzy Hash: 15817035D003198FCB14DFA4D8948DDBBBAFF89314F148215E515AB6A4EB30AA89CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01856A40 Relevance: 6.1, APIs: 4, Instructions: 148threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 01856AB0
                                                                                          • GetCurrentThread.KERNEL32 ref: 01856AED
                                                                                          • GetCurrentProcess.KERNEL32 ref: 01856B2A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01856B83
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: b2add9ced54cbad2dfdba8254b61db596394472d2b7c1a95dad0ff4d89bb1195
                                                                                          • Instruction ID: 4cfa4dbc7ee09cfd5769a736a797c7f6a20e1b81f2e2cad3a890a97ccbf288ce
                                                                                          • Opcode Fuzzy Hash: b2add9ced54cbad2dfdba8254b61db596394472d2b7c1a95dad0ff4d89bb1195
                                                                                          • Instruction Fuzzy Hash: 4C61A6B4900289CFDB14CFA9D548BAEBFF1FF49304F248559E518A7350E7706A48CB66
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01856A50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 01856AB0
                                                                                          • GetCurrentThread.KERNEL32 ref: 01856AED
                                                                                          • GetCurrentProcess.KERNEL32 ref: 01856B2A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 01856B83
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: 07b19638516b1a60a8f9b8c93f1212a6d43eeccb7baf02579f303f40d0684634
                                                                                          • Instruction ID: 1341e99928f0c6fe914e53a0e1d4d42474d53f96bfad3bed6ee5471d48f9c2d3
                                                                                          • Opcode Fuzzy Hash: 07b19638516b1a60a8f9b8c93f1212a6d43eeccb7baf02579f303f40d0684634
                                                                                          • Instruction Fuzzy Hash: 105154B49002498FEB14CFAAD548BAEBBF1FF48314F248459E519B3350E7746A48CF66
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185BA50 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 47 185ba50-185ba75 call 185a944 50 185ba77 47->50 51 185ba8b-185ba8f 47->51 101 185ba7d call 185bcd8 50->101 102 185ba7d call 185bce8 50->102 52 185ba91-185ba9b 51->52 53 185baa3-185bae4 51->53 52->53 58 185bae6-185baee 53->58 59 185baf1-185baff 53->59 54 185ba83-185ba85 54->51 57 185bbc0-185bc80 54->57 96 185bc82-185bc85 57->96 97 185bc88-185bcb3 GetModuleHandleW 57->97 58->59 61 185bb01-185bb06 59->61 62 185bb23-185bb25 59->62 63 185bb11 61->63 64 185bb08-185bb0f call 185a950 61->64 65 185bb28-185bb2f 62->65 70 185bb13-185bb21 63->70 64->70 66 185bb31-185bb39 65->66 67 185bb3c-185bb43 65->67 66->67 71 185bb45-185bb4d 67->71 72 185bb50-185bb59 call 185a960 67->72 70->65 71->72 77 185bb66-185bb6b 72->77 78 185bb5b-185bb63 72->78 80 185bb6d-185bb74 77->80 81 185bb89-185bb8d 77->81 78->77 80->81 82 185bb76-185bb86 call 185a6e8 call 185a970 80->82 84 185bb93-185bb96 81->84 82->81 86 185bbb9-185bbbf 84->86 87 185bb98-185bbb6 84->87 87->86 96->97 98 185bcb5-185bcbb 97->98 99 185bcbc-185bcd0 97->99 98->99 101->54 102->54
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0185BCA6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 6fc0c5d8d226b347d6489884aed08ad64359cda9f55fe7c8b296799f1f4d1fb1
                                                                                          • Instruction ID: f0ab784e953b7d33f7be229012dfa2c47370b0991091e82c1a1108a590a74c23
                                                                                          • Opcode Fuzzy Hash: 6fc0c5d8d226b347d6489884aed08ad64359cda9f55fe7c8b296799f1f4d1fb1
                                                                                          • Instruction Fuzzy Hash: D9812570A00B058FD765CF2AC45476ABBF2FF88304F008A29D98AD7A45D775E949CB92
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185DF0D Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 103 185df0d-185df7e 105 185df80-185df86 103->105 106 185df89-185df90 103->106 105->106 107 185df92-185df98 106->107 108 185df9b-185dfd3 106->108 107->108 109 185dfdb-185e03a CreateWindowExW 108->109 110 185e043-185e07b 109->110 111 185e03c-185e042 109->111 115 185e07d-185e080 110->115 116 185e088 110->116 111->110 115->116 117 185e089 116->117 117->117
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0185E02A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: b1db852514a98ce875eceda92c757f8e697e2e700d26921cc03c39017e18965d
                                                                                          • Instruction ID: c88cb908f2c40e2590cdbeb27ff5e18e24194eb3a0b6781f6078b7216da35943
                                                                                          • Opcode Fuzzy Hash: b1db852514a98ce875eceda92c757f8e697e2e700d26921cc03c39017e18965d
                                                                                          • Instruction Fuzzy Hash: 7E51EEB1D003489FDB14CFA9C880ADEBFB5FF48314F24822AE818AB210D7749985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185DF18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 118 185df18-185df7e 119 185df80-185df86 118->119 120 185df89-185df90 118->120 119->120 121 185df92-185df98 120->121 122 185df9b-185e03a CreateWindowExW 120->122 121->122 124 185e043-185e07b 122->124 125 185e03c-185e042 122->125 129 185e07d-185e080 124->129 130 185e088 124->130 125->124 129->130 131 185e089 130->131 131->131
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0185E02A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: decc5c96db4ead78031a45a04a9aab6c5ccc123d6581e9cc7a4ba1726cf0170a
                                                                                          • Instruction ID: 914d29a9b654ba8e6efa85f25cf79194586f03dac4091997cd969fd934afb003
                                                                                          • Opcode Fuzzy Hash: decc5c96db4ead78031a45a04a9aab6c5ccc123d6581e9cc7a4ba1726cf0170a
                                                                                          • Instruction Fuzzy Hash: E541BEB1D003099FDB14CFA9D884ADEBBB5FF48314F24822AE819AB210D7749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01857009 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 132 1857009-1857010 133 1857012-1857041 call 18563fc 132->133 134 185707a-1857114 DuplicateHandle 132->134 139 1857046-185706c 133->139 137 1857116-185711c 134->137 138 185711d-185713a 134->138 137->138
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01857107
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: df0958abcf259773d8a211a1a62c4103c674852bad8570f2fc3bc5a8af193948
                                                                                          • Instruction ID: b1b9b82a4a8d556ef3650dd6fe282a449cc0b5306207fd733717ac30efcadf89
                                                                                          • Opcode Fuzzy Hash: df0958abcf259773d8a211a1a62c4103c674852bad8570f2fc3bc5a8af193948
                                                                                          • Instruction Fuzzy Hash: 3E415776900259AFCB01CFA9D844AEEBFF9FF49310F14805AE944A7321D3359A14DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01857078 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 144 1857078-1857114 DuplicateHandle 145 1857116-185711c 144->145 146 185711d-185713a 144->146 145->146
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01857107
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 8e697bd306f8c0315a7a545fe13ae4eee3537e8cb9b2470c5357ac3eb2625cfc
                                                                                          • Instruction ID: 5fd502dfc45579f0b9a9f9638172dec293117cb632300f287796ef61c777a0c3
                                                                                          • Opcode Fuzzy Hash: 8e697bd306f8c0315a7a545fe13ae4eee3537e8cb9b2470c5357ac3eb2625cfc
                                                                                          • Instruction Fuzzy Hash: A62103B5D00259DFDB10CFA9D884AEEBBF5FB48324F14841AE914A3311D374AA54CF61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01857080 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 149 1857080-1857114 DuplicateHandle 150 1857116-185711c 149->150 151 185711d-185713a 149->151 150->151
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01857107
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 3509acbc3e5ecce9390db2a7a15670fbaa38d5fadffc60e259380af2fedb74e6
                                                                                          • Instruction ID: d354285b50e913dc9ac5f8369aaa70fd4b1af1d3135c3ae6867f367678ee9aef
                                                                                          • Opcode Fuzzy Hash: 3509acbc3e5ecce9390db2a7a15670fbaa38d5fadffc60e259380af2fedb74e6
                                                                                          • Instruction Fuzzy Hash: 8021F3B5D002599FDB10CFAAD884AEEBBF9FB48320F14841AE914B3310D374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185A998 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 154 185a998-185bf08 156 185bf10-185bf3f LoadLibraryExW 154->156 157 185bf0a-185bf0d 154->157 158 185bf41-185bf47 156->158 159 185bf48-185bf65 156->159 157->156 158->159
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0185BD21,00000800,00000000,00000000), ref: 0185BF32
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 210c70937439b726566e9101baeebada6b56bd1d86c6fbe5f77d053acc247cb3
                                                                                          • Instruction ID: d0f5881977eb5adfabd45be7412214a70e3a2516ff753512bc4b63b744590f97
                                                                                          • Opcode Fuzzy Hash: 210c70937439b726566e9101baeebada6b56bd1d86c6fbe5f77d053acc247cb3
                                                                                          • Instruction Fuzzy Hash: 931114B6D042498FDB10CF9AD444BEEFBF5EB58324F04842AE915B7200C375AA45CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185BEC0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 162 185bec0-185bf08 164 185bf10-185bf3f LoadLibraryExW 162->164 165 185bf0a-185bf0d 162->165 166 185bf41-185bf47 164->166 167 185bf48-185bf65 164->167 165->164 166->167
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0185BD21,00000800,00000000,00000000), ref: 0185BF32
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 62ebbc8cf1d7ffed7b815dfe3d64696b6b42f0e0df911b523ba98402b241d935
                                                                                          • Instruction ID: 9ebaca37a73a843ee3b9d112fcce2e1cf49bf5a35bebf934fa2c3ba8ec0d2131
                                                                                          • Opcode Fuzzy Hash: 62ebbc8cf1d7ffed7b815dfe3d64696b6b42f0e0df911b523ba98402b241d935
                                                                                          • Instruction Fuzzy Hash: D01114B6D043498FDB10CFAAD444ADEFBF5EB58324F14842AE915A7300C775A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185DB34 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 176 185db34-185e1ca SetWindowLongW 178 185e1d3-185e1e7 176->178 179 185e1cc-185e1d2 176->179 179->178
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0185E1BD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: f48bc8bfdb72cc0e511295495c53426b1b31629ea21713306a592a56c4ef2fa0
                                                                                          • Instruction ID: dcf8f556f35ab5ad2eb3fc125a3ed706e45218c55b06d396a870b1bbcc5c8c9e
                                                                                          • Opcode Fuzzy Hash: f48bc8bfdb72cc0e511295495c53426b1b31629ea21713306a592a56c4ef2fa0
                                                                                          • Instruction Fuzzy Hash: 4A11F2B59006499FDB10DF99D984BEEFBF8EB48324F10841AE915A7700C3B4AA44CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185BC40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 170 185bc40-185bc80 171 185bc82-185bc85 170->171 172 185bc88-185bcb3 GetModuleHandleW 170->172 171->172 173 185bcb5-185bcbb 172->173 174 185bcbc-185bcd0 172->174 173->174
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0185BCA6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 36a4ff83be5290d13edce3bca74886bc671843fa78b0d228285dcc834cbd053c
                                                                                          • Instruction ID: 31565cbe24227e6941006137bc836fb95171a67d5db8b74d543095b65b1490e2
                                                                                          • Opcode Fuzzy Hash: 36a4ff83be5290d13edce3bca74886bc671843fa78b0d228285dcc834cbd053c
                                                                                          • Instruction Fuzzy Hash: E11110B6C002498FDB10CF9AD444BDEFBF5EB88324F10841AD819B7600D778AA45CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185E159 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 181 185e159-185e1ca SetWindowLongW 182 185e1d3-185e1e7 181->182 183 185e1cc-185e1d2 181->183 183->182
                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0185E1BD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: e6e4fb60f7343221abc0ce7fe6bb6ae8e75469d767da3d5459bd81eb32c9e434
                                                                                          • Instruction ID: 29be9b9c737b2efba1bf91c3599d27fc90b911c7591f065b592e446b089b5031
                                                                                          • Opcode Fuzzy Hash: e6e4fb60f7343221abc0ce7fe6bb6ae8e75469d767da3d5459bd81eb32c9e434
                                                                                          • Instruction Fuzzy Hash: 981103B5D006498FEB10CF99D585BEEBBF8EB48320F10841AD918A7340C374AA44CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8B3C1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ID
                                                                                          • API String ID: 0-947598714
                                                                                          • Opcode ID: 617279a57ab82e6f29799114f757518b01066cb284cc6bedcd4cdab782aa0572
                                                                                          • Instruction ID: 4a76ec2621f871cfd8665b994466a72bef8b909633114652b1a4a0718dd489d2
                                                                                          • Opcode Fuzzy Hash: 617279a57ab82e6f29799114f757518b01066cb284cc6bedcd4cdab782aa0572
                                                                                          • Instruction Fuzzy Hash: 3031F7F0B042159FC7949FA8D8966BE77E5EFC6208F16046BE205DB781EB348D00C762
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C82E80 Relevance: .4, Instructions: 371COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 384ff6ef6db1902d41572a67e7deb16c7afe7b69a5e17ebdb2d867b48c7ec43e
                                                                                          • Instruction ID: 721205a85bd72395ee1e7fd0e17d1c8b28f9a189ca2f8f036ab3b9ff62446b1e
                                                                                          • Opcode Fuzzy Hash: 384ff6ef6db1902d41572a67e7deb16c7afe7b69a5e17ebdb2d867b48c7ec43e
                                                                                          • Instruction Fuzzy Hash: 91D19B7070415A9FCB58AF64C89CB7E7BE6AB88708F148428E60ADB384DF74DD41CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C83570 Relevance: .2, Instructions: 230COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6118ecc60de4efa0c3cad7db4edc76bc35a2363b2911bf742580722b971654b0
                                                                                          • Instruction ID: 373fd77f09df2fe48be697db63a1f813c7a4519f124708913cdba13c6cdccbaa
                                                                                          • Opcode Fuzzy Hash: 6118ecc60de4efa0c3cad7db4edc76bc35a2363b2911bf742580722b971654b0
                                                                                          • Instruction Fuzzy Hash: 2A819FF4A005828FCB94EF69C58896EBBB2FF8AB18B159169D406D7360DB31E841CB51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C807A8 Relevance: .2, Instructions: 224COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 60c9e688539e888e6cb67827ebd57c972653fe86d11aed7f335e831b61c1fbe5
                                                                                          • Instruction ID: 7872d5b35c7e6a5b57bac60fbacb1ec645ffef8cfa2ffda9307831216b3ca95f
                                                                                          • Opcode Fuzzy Hash: 60c9e688539e888e6cb67827ebd57c972653fe86d11aed7f335e831b61c1fbe5
                                                                                          • Instruction Fuzzy Hash: 7DA1D471910619CFDB10EF68C850A99FBB5FF49314F05C2A9D949BB215EB30AAC9CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8ECF0 Relevance: .2, Instructions: 207COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a66f780b1865e75a054af7ba2f5a874148e439984bc2150264270b6a9430d169
                                                                                          • Instruction ID: 159b0c3b319e93f40f1e6500514f1bbb3cbc1051e13262b96ae9e24983666710
                                                                                          • Opcode Fuzzy Hash: a66f780b1865e75a054af7ba2f5a874148e439984bc2150264270b6a9430d169
                                                                                          • Instruction Fuzzy Hash: E371F2B4A043458FDB01DB64C880BEEBBB0EF46308F5885A7E495DB291D334DD45CB66
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8BE90 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c149b61bc7b43645ba204134806db93b2c214980684a6afd06ce9040d62feda8
                                                                                          • Instruction ID: bc2a8ad3c6edeed09e20c7e77c6c0541c418b2dda1ae51142ccbb40e5221a610
                                                                                          • Opcode Fuzzy Hash: c149b61bc7b43645ba204134806db93b2c214980684a6afd06ce9040d62feda8
                                                                                          • Instruction Fuzzy Hash: 4451A1B1B042058FCB25EB79D8884BFBBF6EFC42187158969E529DB350EB30DD0587A1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C81D5F Relevance: .1, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cf2e082af8f9cfc778ebca99ec61519d1da62c00305db901c843fcb597a2da76
                                                                                          • Instruction ID: b3906da6d31d17822cba5359ca85bfaf34609a51515d679f788841ce6076ec3a
                                                                                          • Opcode Fuzzy Hash: cf2e082af8f9cfc778ebca99ec61519d1da62c00305db901c843fcb597a2da76
                                                                                          • Instruction Fuzzy Hash: 9541F6B0D042599BCB55EFA9C8846AEBBF2FF42219F18456FD404D7341DB305D46CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8E7E0 Relevance: .1, Instructions: 109COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 108c9ebdbc78276ffa1a8f1953e821de1a9d049fa03a2aaf0fe807e86238e510
                                                                                          • Instruction ID: eb9dc1a11c7fc00d1ed4e76c1534fee0d9bc300892c457ae35d5dfc0c63bd561
                                                                                          • Opcode Fuzzy Hash: 108c9ebdbc78276ffa1a8f1953e821de1a9d049fa03a2aaf0fe807e86238e510
                                                                                          • Instruction Fuzzy Hash: 1B41E8B5A09280CFC742AB2DDC946ADBBA0EF07315F0646E3D094DB2A2C734CD44C766
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C82622 Relevance: .1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c49974a39cdcd2fc107feee0100ee5ae198b5b574b95ca37674bdc9f13217d5f
                                                                                          • Instruction ID: 5b0affae645b23657033f92741ebb5fce95678274276600cc45059f0a904896b
                                                                                          • Opcode Fuzzy Hash: c49974a39cdcd2fc107feee0100ee5ae198b5b574b95ca37674bdc9f13217d5f
                                                                                          • Instruction Fuzzy Hash: 7041C47170420A9FCB06AF65D89CAAE7BA6FF89314F044029F9058B350CB38CD55CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C81E40 Relevance: .1, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a9f8ac67004d57ec3e9550f5166d2cf34519d331719eb5b7e504a4daa6f38706
                                                                                          • Instruction ID: eb9c148fb665178055cb88257ca13f92cf71f3f50a983e040211e4fb8ab55fc3
                                                                                          • Opcode Fuzzy Hash: a9f8ac67004d57ec3e9550f5166d2cf34519d331719eb5b7e504a4daa6f38706
                                                                                          • Instruction Fuzzy Hash: 6641CDB4E01209CFCB94DFA9D5856EEBBF2BF88314F24842AE415A7250DB346946CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8AEB0 Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: add8deee4330c108a08e35b76ed775fab225c41a2cfa4d4b89185df2c337bca5
                                                                                          • Instruction ID: da33b531332f3e92d91549fb7e07578b7f65d19751abcf01e12f47a8a2dbe6d0
                                                                                          • Opcode Fuzzy Hash: add8deee4330c108a08e35b76ed775fab225c41a2cfa4d4b89185df2c337bca5
                                                                                          • Instruction Fuzzy Hash: 0941F374E002199FDB08DFA9D894AAEBBF6FF88300F11802AE505B7354DB359941DFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C81C30 Relevance: .1, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: faab243aaef4ece14cdd9ddaf5aa5fe6b9decea128b22575bec2a973685a5b61
                                                                                          • Instruction ID: 4ab248925cdc9d48d2c9e85a6449d78eb4cc40b0bfc459636370f5a14d0eb582
                                                                                          • Opcode Fuzzy Hash: faab243aaef4ece14cdd9ddaf5aa5fe6b9decea128b22575bec2a973685a5b61
                                                                                          • Instruction Fuzzy Hash: 7341C474E00209DFDB48DFA9D859AEEBBB6FF88310F14812AE915A7354DB345941CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C833C9 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e47dfe94fedfd5459d385ccea91c63953dd3d96e3f137e132ed7a7a9ee900358
                                                                                          • Instruction ID: a8ff2222989fb6e623867042de5b423aa56bd6e3652ce2b5bdf92d753202a12e
                                                                                          • Opcode Fuzzy Hash: e47dfe94fedfd5459d385ccea91c63953dd3d96e3f137e132ed7a7a9ee900358
                                                                                          • Instruction Fuzzy Hash: 462134753006128BC726AA3AD89862EBB96FFC9B58B084079E906CB350CF34DC05CBC0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8FC7E Relevance: .1, Instructions: 78COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f97f263cfe460dc7276d22e4537a43f444644a59d6a3b40cdd6a9a8963d9d9b9
                                                                                          • Instruction ID: 0cdbba21cc91d3e753953cda7d42ee6614ade23527a6a2d984f32ab6c662886d
                                                                                          • Opcode Fuzzy Hash: f97f263cfe460dc7276d22e4537a43f444644a59d6a3b40cdd6a9a8963d9d9b9
                                                                                          • Instruction Fuzzy Hash: A4210AB1615505CBC7B05F69C8403BAB3A1EF8230DF048A2FF9A5C62D1E338C653C621
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017ED4D8 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277532014.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17ed000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2940f214391a82385af12a974b55b8a166956653695d7056c8d706d81d38aee0
                                                                                          • Instruction ID: 2ef6d0ac1546623a9c17c3bc7c3e637662fd5bacab4d866a82c9ec22eed1dfb8
                                                                                          • Opcode Fuzzy Hash: 2940f214391a82385af12a974b55b8a166956653695d7056c8d706d81d38aee0
                                                                                          • Instruction Fuzzy Hash: D72106B1504244DFDB25CF94D9C4B2AFBE5FB8C328F3485A9E9054B206C336D855CAA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C86428 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a19a874f41b5530aed2b547ce85e2958e501c6ef000432683a5d5f29fdf21d0e
                                                                                          • Instruction ID: 6df4738f1429b19c9571086162e4da74625288a92698e347c4f6e6774e6aec7b
                                                                                          • Opcode Fuzzy Hash: a19a874f41b5530aed2b547ce85e2958e501c6ef000432683a5d5f29fdf21d0e
                                                                                          • Instruction Fuzzy Hash: 7A2181B5B041068FCB50EF78C48495E7BF1EF89218F194066E505DB362D730ED44CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C802B0 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eddc138536d6247faa9c1d9da71493938a9980f6a88bb7598dd0ff782e8bc7b2
                                                                                          • Instruction ID: 86e2fb0015cc4354c90a667d7c753f87448fb3f0ebcd801139cca1cc5fafdd93
                                                                                          • Opcode Fuzzy Hash: eddc138536d6247faa9c1d9da71493938a9980f6a88bb7598dd0ff782e8bc7b2
                                                                                          • Instruction Fuzzy Hash: F7212FB5300A019FC3A4EF29C58492AB3F5FF89624B11466DE55AC7760DB70FC45CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017FD01C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277555818.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17fd000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 10487b7a15e104813e201ec045f5590ec957822d1a484b0858bc8fcfc8027fd9
                                                                                          • Instruction ID: becc986cb21e74dcabaf4464efbb7b42ee2814bab5760a03a62067fcb953aad6
                                                                                          • Opcode Fuzzy Hash: 10487b7a15e104813e201ec045f5590ec957822d1a484b0858bc8fcfc8027fd9
                                                                                          • Instruction Fuzzy Hash: D22125B1604244DFDB25DF64D9C0B2BFB65FB88354F20C5ADEA094B346C336D806CA61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017FD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277555818.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17fd000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e6425db991a5166e722ab7298b26699a1cda85078a10ae8ed68fb5f161e83e7
                                                                                          • Instruction ID: 9a3a1dbd7ced2dfd880cdac4f4718a147d2a7ae5f704c43aea3a4af6526c9d23
                                                                                          • Opcode Fuzzy Hash: 3e6425db991a5166e722ab7298b26699a1cda85078a10ae8ed68fb5f161e83e7
                                                                                          • Instruction Fuzzy Hash: 2C213AB5508244DFDB11CF94C5C0B2BFB65FB84324F20C5ADDA094B346C336D806CAA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8AD80 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f41141d48c72cac69fcce0017ff6b6edaffd47c95b430dc8a257c539201d5dc9
                                                                                          • Instruction ID: bdcc42bc8058fe42cce08899ff1f1a0c70bf33cee2b5cf8cabc8fd7aa7383c1b
                                                                                          • Opcode Fuzzy Hash: f41141d48c72cac69fcce0017ff6b6edaffd47c95b430dc8a257c539201d5dc9
                                                                                          • Instruction Fuzzy Hash: 842155B4E05209DFCB88EFA6C5487AEFBB5BB4530AF10C4AAD505A7290D7344B84DB51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8FD8E Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3685daf6f6f24a2c98439b5a3b22fab09e5c2fc02592c1c25a3f7741f3cd4c85
                                                                                          • Instruction ID: 6ca000fcc99245f439d782f90903a0df5eab18a501b2d3add16b48e935573d8b
                                                                                          • Opcode Fuzzy Hash: 3685daf6f6f24a2c98439b5a3b22fab09e5c2fc02592c1c25a3f7741f3cd4c85
                                                                                          • Instruction Fuzzy Hash: 1411C170B08148AFDB44AB708C15BBE3BB7EBC9304F118069E606EB284CF3499028B91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8FEC0 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a299d3e94854a1038d273c7c2dccc6c2f99b20e8641a525780c82a1a136481dc
                                                                                          • Instruction ID: e40cf39ef8502c6925dd3da7c41f7549a4543ef594b5bf14d4ef9fa811ed2a08
                                                                                          • Opcode Fuzzy Hash: a299d3e94854a1038d273c7c2dccc6c2f99b20e8641a525780c82a1a136481dc
                                                                                          • Instruction Fuzzy Hash: AC11D370905208DFC740EFB4E45D6AEBBF5EF45308F6186AAD4089B220EB359E45CB85
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8C2A0 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 155cceaea76207a306e628c678421d02052be4116bd28a7c093f85f9b6cab262
                                                                                          • Instruction ID: e19814b891df5739a73f6a11ab54d8a229f5aded093c1017249ee579581a968f
                                                                                          • Opcode Fuzzy Hash: 155cceaea76207a306e628c678421d02052be4116bd28a7c093f85f9b6cab262
                                                                                          • Instruction Fuzzy Hash: EB114C71B0021A8BCB64EBA8D9505FEB7B6BF88258B54407AC514E7340EB318D4A8BB1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8D5F8 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3cc9c6447c7f7a1a57181269abcd32f537972fe703611677687f88d5635acb19
                                                                                          • Instruction ID: a4ffa8535a56491defa8fb241dcce06f9a19077a20bf611faaf6517e6a34a8ae
                                                                                          • Opcode Fuzzy Hash: 3cc9c6447c7f7a1a57181269abcd32f537972fe703611677687f88d5635acb19
                                                                                          • Instruction Fuzzy Hash: B411D334F842459FD300AB70D05AAADB7A2AB8D308F20C439D416AF7C8DB74D915CBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017ED4D3 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277532014.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17ed000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 98abe1bd786442cf91278a09081023498efb3f05c37cabdab074b36fb495d528
                                                                                          • Instruction ID: fc391bd25166865775ed28f29e8403d9a18d3c386ab6405750c746c5cf648caa
                                                                                          • Opcode Fuzzy Hash: 98abe1bd786442cf91278a09081023498efb3f05c37cabdab074b36fb495d528
                                                                                          • Instruction Fuzzy Hash: 8F11AF76504280DFCB12CF54D9C4B1AFFB1FB88324F2486A9D9050B656C33AD45ACBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017FD1CF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277555818.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17fd000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                                                                          • Instruction ID: 0948c75ed5a2a02c819f8906553668794e0db306dc6c2dcdbe0ec5ee98179d0d
                                                                                          • Opcode Fuzzy Hash: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                                                                          • Instruction Fuzzy Hash: B411BB79908280DFCB12CF54C5C0B16FBA1FB84224F28C6AED9494B756C33AD44ACBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017FD017 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277555818.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17fd000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                                                                          • Instruction ID: 51fe2307171a6023174ad64c099415ffebb70c94cd6e572a875f0a986c7ac901
                                                                                          • Opcode Fuzzy Hash: 16c61bb5afbd5972eefcc089b1484a7a4c37a7b643b12c87c30c18ec8848ad14
                                                                                          • Instruction Fuzzy Hash: 5311BE75504284DFCB12CF18D5C4B16FB61FB44314F24C6ADD9494B756C33AD44ACB62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017ED785 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277532014.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17ed000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ff72f1b642312d3017bc4033c804dc1943484ed396845211b213da5ced77c0d
                                                                                          • Instruction ID: d8fc6780099507e85d68afd7899cf4d8fd7cb043597580778ddb830b968c48c8
                                                                                          • Opcode Fuzzy Hash: 6ff72f1b642312d3017bc4033c804dc1943484ed396845211b213da5ced77c0d
                                                                                          • Instruction Fuzzy Hash: 3F01A7714483C49AE7304B6ACD88B6AFBD8EF4A378F18C45AEE045A247D7799844C671
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 017ED784 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277532014.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_17ed000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 021892b639888e0485a6bc6ced1cd1960ea9f1b4c1aebea175f73df637de54e4
                                                                                          • Instruction ID: be34c45636f477bfcc3c598ddb82277e2252222393b427edc88bde93eea531a1
                                                                                          • Opcode Fuzzy Hash: 021892b639888e0485a6bc6ced1cd1960ea9f1b4c1aebea175f73df637de54e4
                                                                                          • Instruction Fuzzy Hash: 21F0C2754042849EE7208F1ACC88B62FFE8EB45374F18C05AED084B287C3789844DAB0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8D75C Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0880b99a1de22b15d8306e039a9a6076dd8c78d70f1503a983689a34c61496e6
                                                                                          • Instruction ID: 8b841d4ce6d004a4fe47a8b7f7f932b7b712de72185e6a62f87bfa5027cc220a
                                                                                          • Opcode Fuzzy Hash: 0880b99a1de22b15d8306e039a9a6076dd8c78d70f1503a983689a34c61496e6
                                                                                          • Instruction Fuzzy Hash: 42E04F32B444E84F4644DAA8E0116AD73D6DB89064723827AC209DF75DDF61CC1157A3
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8AD30 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f5ef80f0b9c7137e1637eb6af283156b4968b8a1361b7fd9182a655ab630494
                                                                                          • Instruction ID: 2333a89473296333cad1866080cb3dc937da2cd59c6f2fe5e5bef607076a3bc6
                                                                                          • Opcode Fuzzy Hash: 5f5ef80f0b9c7137e1637eb6af283156b4968b8a1361b7fd9182a655ab630494
                                                                                          • Instruction Fuzzy Hash: AAE01A74D0420CEFCB58EFB9E54969EBBB5BB49305F10C1AAC808A3240EF305A04CF41
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C8BE75 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285649194.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7c80000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbaecd86186fd257112bf94697a99d887d3b1a830207e4253d92b43e783b438d
                                                                                          • Instruction ID: 41ab7da7ae816bd335a5bffb6056236597e746df8efdf90a3c208e18fcfd734a
                                                                                          • Opcode Fuzzy Hash: fbaecd86186fd257112bf94697a99d887d3b1a830207e4253d92b43e783b438d
                                                                                          • Instruction Fuzzy Hash: A4B0923A00001AFECB81AB50C948C49FBA1BF58708741C092A2584B430D732E82DEB02
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Function 0185C148 Relevance: .5, Instructions: 522COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae5cd96b02ce573bde890c1639db84fa2de03be63088b2c1961c186e830b8e43
                                                                                          • Instruction ID: 7d17e71ef50e74a8d9e521f8fc7c827a0e8d67bb0aa5c479ae664107a9f81676
                                                                                          • Opcode Fuzzy Hash: ae5cd96b02ce573bde890c1639db84fa2de03be63088b2c1961c186e830b8e43
                                                                                          • Instruction Fuzzy Hash: 935236B15017068FD720CF5CE8C859DBBB1FB45328F908219D561ABAD9D3B4678ACF84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 079869DC Relevance: .3, Instructions: 311COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285604529.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7980000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b9256e29313a5d783e99faf7dc510db201e9cfb2247f1103bf08ecc4d9594ae
                                                                                          • Instruction ID: 997461c78cdef8c63c1085ed18cccba104a5d121ba86d47e777e805edd14a1f8
                                                                                          • Opcode Fuzzy Hash: 1b9256e29313a5d783e99faf7dc510db201e9cfb2247f1103bf08ecc4d9594ae
                                                                                          • Instruction Fuzzy Hash: EEB1E2B0A04215CFDB58EB74C840BAEB7B6AF85328F158569D516AB3E1CF35EC41CB81
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 079881A8 Relevance: .3, Instructions: 275COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.285604529.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_7980000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 39c59590df4409030d2b7fe2988f959d1c53401ab3904a6d45c78e96b21bd63f
                                                                                          • Instruction ID: 729148ffe96b5ec2888806b513bec0cfce6f9a761db7e21aeed55f25fc5c5549
                                                                                          • Opcode Fuzzy Hash: 39c59590df4409030d2b7fe2988f959d1c53401ab3904a6d45c78e96b21bd63f
                                                                                          • Instruction Fuzzy Hash: 74A1BFB17205068FCB54EF29C954E7EB7AAAF88318F598469E906DB360DB34DC41CB60
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0185A758 Relevance: .3, Instructions: 265COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.277695844.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_1850000_72QC-GMI2022.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9fd904d8270b05fd75282cd4c735de2013f629bac7f24fb7bdf20d1b833bfce1
                                                                                          • Instruction ID: f37b9176de58a62f365f9eb7a8a3488db6484e2bf13a71e82934329c43dfaa58
                                                                                          • Opcode Fuzzy Hash: 9fd904d8270b05fd75282cd4c735de2013f629bac7f24fb7bdf20d1b833bfce1
                                                                                          • Instruction Fuzzy Hash: 33A14136E0021A8FCF15DFA9C8845DDBBB2FF95300B15816AE905FB225EB35AA45CF40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Execution Graph

                                                                                          Execution Coverage:13.1%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:44
                                                                                          Total number of Limit Nodes:2
                                                                                          execution_graph 37287 7c26c53 37288 7c26c66 37287->37288 37292 7c26e80 PostMessageW 37288->37292 37294 7c26e50 37288->37294 37289 7c26c89 37293 7c26eec 37292->37293 37293->37289 37295 7c26e80 PostMessageW 37294->37295 37296 7c26eec 37295->37296 37296->37289 37279 7c27800 37282 7c27865 37279->37282 37280 7c27cc8 WaitMessage 37280->37282 37282->37280 37283 7c278b2 37282->37283 37284 7c26724 37282->37284 37285 7c284c0 DispatchMessageW 37284->37285 37286 7c2852c 37285->37286 37286->37282 37299 7c24f68 37300 7c24f7a 37299->37300 37304 7c25040 37300->37304 37308 7c25030 37300->37308 37306 7c25067 37304->37306 37305 7c250bf 37306->37305 37312 7c20620 37306->37312 37309 7c25067 37308->37309 37310 7c250bf 37309->37310 37311 7c20620 KiUserCallbackDispatcher 37309->37311 37311->37310 37313 7c2062b 37312->37313 37315 7c25242 37313->37315 37316 7c20650 37313->37316 37315->37305 37317 7c252e8 KiUserCallbackDispatcher 37316->37317 37318 7c2534f 37317->37318 37318->37315 37319 71a73b0 37320 71a73ce 37319->37320 37323 71a5788 37320->37323 37322 71a7405 37325 71a8ed0 LoadLibraryA 37323->37325 37326 71a8fac 37325->37326 37297 7c25819 OleInitialize 37298 7c2584c 37297->37298 37327 7c2652d 37328 7c264bf 37327->37328 37328->37327 37330 7c247a8 37328->37330 37332 7c247b3 37330->37332 37331 7c26af7 37331->37328 37332->37331 37333 7c26ac7 GetCurrentThreadId 37332->37333 37333->37331

                                                                                          Executed Functions

                                                                                          Function 08090040 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 496processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 8090040-80900be 6 80903a4-80903b5 0->6 7 80900c4-80900d8 0->7 11 809037a-809037b 6->11 12 80903b7-80903b9 6->12 7->6 8 80900de-80900ee 7->8 8->6 10 80900f4-8090103 8->10 10->6 13 8090109-809012f 10->13 14 809037e 11->14 12->14 15 80903bb-809042a 12->15 19 809013d-8090162 13->19 20 8090131-809013a 13->20 118 809037e call 80908a8 14->118 119 809037e call 8090940 14->119 120 809037e call 80908a3 14->120 21 809042c-8090436 15->21 22 8090463-8090483 15->22 17 8090383-8090389 112 809038b call 809068b 17->112 113 809038b call 8090690 17->113 28 8090170-8090174 19->28 29 8090164-809016d 19->29 21->22 25 8090438-809043a 21->25 35 80904bc-80904ea 22->35 36 8090485-809048f 22->36 24 8090390-809039c 26 809045d-8090460 25->26 27 809043c-8090446 25->27 26->22 31 8090448 27->31 32 809044a-8090459 27->32 33 8090185 28->33 34 8090176-8090183 28->34 31->32 32->32 37 809045b 32->37 38 809018a-809018c 33->38 34->38 45 80904ec-80904f6 35->45 46 8090523-8090542 35->46 36->35 39 8090491-8090493 36->39 37->26 41 809018e-809019f 38->41 42 80901a2-80901c4 38->42 43 8090495-809049f 39->43 44 80904b6-80904b9 39->44 41->42 105 80901c6 call 8090011 42->105 106 80901c6 call 8090040 42->106 47 80904a1 43->47 48 80904a3-80904b2 43->48 44->35 45->46 49 80904f8-80904fa 45->49 58 8090552-809055f 46->58 59 8090544-8090550 46->59 47->48 48->48 52 80904b4 48->52 53 809051d-8090520 49->53 54 80904fc-8090506 49->54 52->44 53->46 56 8090508 54->56 57 809050a-8090519 54->57 56->57 57->57 61 809051b 57->61 62 809056f-80905be CreateProcessA 58->62 63 8090561-809056d 58->63 59->58 60 80901cb-80901cd 64 80901db-80901eb 60->64 65 80901cf-80901d8 60->65 61->53 66 80905c0-80905c6 62->66 67 80905c7-8090607 62->67 63->62 64->6 68 80901f1-80901f4 64->68 66->67 74 8090609-809060d 67->74 75 8090617-809061b 67->75 121 80901f7 call 809068b 68->121 122 80901f7 call 8090690 68->122 70 80901fc-809020f 110 8090212 call 8090738 70->110 111 8090212 call 8090733 70->111 73 8090217-8090219 76 809021b-8090224 73->76 77 809022d-8090234 73->77 74->75 78 809060f 74->78 79 809062b-809062f 75->79 80 809061d-8090621 75->80 76->77 77->6 81 809023a-8090252 77->81 78->75 83 809063f 79->83 84 8090631-8090635 79->84 80->79 82 8090623 80->82 114 8090255 call 80907eb 81->114 115 8090255 call 80907f0 81->115 82->79 86 8090640 83->86 84->83 85 8090637 84->85 85->83 86->86 87 809025a-809026a 88 8090270-80902a1 87->88 89 8090314-809031b 87->89 88->6 93 80902a7-80902cc 88->93 89->6 90 8090321-8090324 89->90 107 8090327 call 80908a8 90->107 108 8090327 call 8090940 90->108 109 8090327 call 80908a3 90->109 92 809032c-809034a 94 809034c-8090350 92->94 95 8090354-8090358 92->95 96 80902da-80902de 93->96 97 80902ce-80902d2 93->97 99 809039f 94->99 101 8090352 94->101 95->99 102 809035a-809035f 95->102 96->99 100 80902e4-80902ed 96->100 98 80902d8 97->98 97->99 98->100 99->6 116 80902ef call 80907eb 100->116 117 80902ef call 80907f0 100->117 101->102 123 8090361 call 80907eb 102->123 124 8090361 call 80907f0 102->124 103 80902f4-809030e 103->88 103->89 104 8090366-8090378 104->11 105->60 106->60 107->92 108->92 109->92 110->73 111->73 112->24 113->24 114->87 115->87 116->103 117->103 118->17 119->17 120->17 121->70 122->70 123->104 124->104
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000), ref: 080905AE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID: MZ
                                                                                          • API String ID: 963392458-2410715997
                                                                                          • Opcode ID: bacc5309b91d5f6346ce62473c3faf38fcf37d0107f28d80c1b76b16521ac676
                                                                                          • Instruction ID: 71cabca7a5a4de59cc9b918e5393589d4b1ef1066b199599caf534cdde4aa33c
                                                                                          • Opcode Fuzzy Hash: bacc5309b91d5f6346ce62473c3faf38fcf37d0107f28d80c1b76b16521ac676
                                                                                          • Instruction Fuzzy Hash: EF123671E00608DFDF50CFA9C985B9EBBF2FF88311F148129E958AB290D7749885DB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C27800 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 648 7c27800-7c27863 649 7c27892-7c278b0 648->649 650 7c27865-7c2788f 648->650 655 7c278b2-7c278b4 649->655 656 7c278b9-7c278f0 649->656 650->649 658 7c27d72-7c27d87 655->658 660 7c27d21 656->660 661 7c278f6-7c2790a 656->661 664 7c27d26-7c27d3c 660->664 662 7c27939-7c27958 661->662 663 7c2790c-7c27936 661->663 670 7c27970-7c27972 662->670 671 7c2795a-7c27960 662->671 663->662 664->658 674 7c27991-7c2799a 670->674 675 7c27974-7c2798c 670->675 672 7c27962 671->672 673 7c27964-7c27966 671->673 672->670 673->670 677 7c279a2-7c279a9 674->677 675->664 678 7c279b3-7c279ba 677->678 679 7c279ab-7c279b1 677->679 681 7c279c4 678->681 682 7c279bc-7c279c2 678->682 680 7c279c7-7c279e4 call 7c266d8 679->680 685 7c279ea-7c279f1 680->685 686 7c27b39-7c27b3d 680->686 681->680 682->680 685->660 687 7c279f7-7c27a34 685->687 688 7c27b43-7c27b47 686->688 689 7c27d0c-7c27d1f 686->689 697 7c27d02-7c27d06 687->697 698 7c27a3a-7c27a3f 687->698 690 7c27b61-7c27b6a 688->690 691 7c27b49-7c27b5c 688->691 689->664 693 7c27b99-7c27ba0 690->693 694 7c27b6c-7c27b96 690->694 691->664 695 7c27ba6-7c27bad 693->695 696 7c27c3f-7c27c54 693->696 694->693 699 7c27baf-7c27bd9 695->699 700 7c27bdc-7c27bfe 695->700 696->697 712 7c27c5a-7c27c5c 696->712 697->677 697->689 701 7c27a71-7c27a86 call 7c266fc 698->701 702 7c27a41-7c27a4f call 7c266e4 698->702 699->700 700->696 735 7c27c00-7c27c0a 700->735 710 7c27a8b-7c27a8f 701->710 702->701 715 7c27a51-7c27a6a call 7c266f0 702->715 716 7c27b00-7c27b0d 710->716 717 7c27a91-7c27aa3 call 7c26708 710->717 713 7c27ca9-7c27cc6 call 7c266d8 712->713 714 7c27c5e-7c27c97 712->714 713->697 732 7c27cc8-7c27cf4 WaitMessage 713->732 729 7c27ca0-7c27ca7 714->729 730 7c27c99-7c27c9f 714->730 725 7c27a6f 715->725 716->697 733 7c27b13-7c27b1d call 7c26718 716->733 740 7c27ae3-7c27afb 717->740 741 7c27aa5-7c27ad5 717->741 725->710 729->697 730->729 737 7c27cf6 732->737 738 7c27cfb 732->738 745 7c27b1f-7c27b22 call 7c26724 733->745 746 7c27b2c-7c27b34 call 7c26730 733->746 748 7c27c22-7c27c25 735->748 749 7c27c0c-7c27c12 735->749 737->738 738->697 740->664 756 7c27ad7 741->756 757 7c27adc 741->757 752 7c27b27 745->752 746->697 758 7c27c2e-7c27c3d 748->758 753 7c27c16-7c27c18 749->753 754 7c27c14 749->754 752->697 753->748 754->748 756->757 757->740 758->696 758->735
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: DispatchMessage
                                                                                          • String ID:
                                                                                          • API String ID: 2061451462-0
                                                                                          • Opcode ID: c92984a2cf29a41d2febe979568883a64f12c6d563f20abff91180b56d1acfe2
                                                                                          • Instruction ID: 207e97ae80971377a6128c2ed2773bf8b22d7239d5873023beb05b3d5ddff001
                                                                                          • Opcode Fuzzy Hash: c92984a2cf29a41d2febe979568883a64f12c6d563f20abff91180b56d1acfe2
                                                                                          • Instruction Fuzzy Hash: 14F19DB0A00319CFDB14DFA9C888BADBBF1BF48314F158568E509AB365DB70E946DB40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 080907EB Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2029 80907eb-8090868 NtWriteVirtualMemory 2031 809086a-8090870 2029->2031 2032 8090871-809088e 2029->2032 2031->2032
                                                                                          APIs
                                                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0809085B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryVirtualWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3527976591-0
                                                                                          • Opcode ID: 44b526a20aa769e1bcff94ff4ac2e91d121e3d8d95f3295904c23bbdc24edb97
                                                                                          • Instruction ID: a9578882db2762bc3de98fc54e0dc70ccc5f5a893622f4bcb2974dc65d3d4dd5
                                                                                          • Opcode Fuzzy Hash: 44b526a20aa769e1bcff94ff4ac2e91d121e3d8d95f3295904c23bbdc24edb97
                                                                                          • Instruction Fuzzy Hash: 411112B59006499FCB10CFAAC884BDEBFF5AB48320F148419E568A7610D775A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 080907F0 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2047 80907f0-8090868 NtWriteVirtualMemory 2049 809086a-8090870 2047->2049 2050 8090871-809088e 2047->2050 2049->2050
                                                                                          APIs
                                                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0809085B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryVirtualWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3527976591-0
                                                                                          • Opcode ID: dfa8f90dea104aa92f1efa85e297ee66c0d6284395688124634e02b0807644a8
                                                                                          • Instruction ID: d36681def12e09b79c29248844648fb5b3d597d8ae24c053a9f231d8604bc8a4
                                                                                          • Opcode Fuzzy Hash: dfa8f90dea104aa92f1efa85e297ee66c0d6284395688124634e02b0807644a8
                                                                                          • Instruction Fuzzy Hash: 4811F0B59006489FCF10CF9AC884BDEBBF8AB88324F158419E568A7210D775A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0809068B Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2053 809068b-80906ff NtResumeThread 2055 8090708-8090725 2053->2055 2056 8090701-8090707 2053->2056 2056->2055
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 0a1156c028feff11b95a80f13329e63beb8bd6fc731c9de281a14612d118712f
                                                                                          • Instruction ID: 0bbbbbf294b4744099ba9473423ddc0af4cbbcf84747afd8e2af2561854ab827
                                                                                          • Opcode Fuzzy Hash: 0a1156c028feff11b95a80f13329e63beb8bd6fc731c9de281a14612d118712f
                                                                                          • Instruction Fuzzy Hash: 561122B1D046488FCB10CF9AD884BEEFBF5AB88324F14841AD559A3710D774A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 080908A3 Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2059 80908a3-8090917 NtSetContextThread 2062 8090919-809091f 2059->2062 2063 8090920-809093d 2059->2063 2062->2063
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: ba23f77eafa94eddf35d38112d15f82a2168968564f5c881e73c9811387f7fc5
                                                                                          • Instruction ID: 659b9267b24df9acaf4ac942cf820ce87356369792fbc391cb6d0de1d56b087b
                                                                                          • Opcode Fuzzy Hash: ba23f77eafa94eddf35d38112d15f82a2168968564f5c881e73c9811387f7fc5
                                                                                          • Instruction Fuzzy Hash: 971125B59046498FDB10CFAAC884BDEFBF4EF89324F24841AD568A7341D774A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08090690 Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: e0d8f4c323ca77e1438e220fb990f3f461e6eabcabaff81ebe42414fb0408a0c
                                                                                          • Instruction ID: fbd042b7ac8976c8a95eb55140a5dea01f805e6b6caf94d28f053cd0261bffc5
                                                                                          • Opcode Fuzzy Hash: e0d8f4c323ca77e1438e220fb990f3f461e6eabcabaff81ebe42414fb0408a0c
                                                                                          • Instruction Fuzzy Hash: 0411FEB5D046498FCB10CFAAD884B9EFBF8AB88224F14841AD559A7710D774A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 080908A8 Relevance: 1.5, APIs: 1, Instructions: 48nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 6566f94caa22c90fe8b6f427847e4a038ba2f618e9e2e05aec10004e29a784ee
                                                                                          • Instruction ID: 0c2b0574ea8b0f533e2930b0c6c7ee6ff2b6ff050a72777903e7d67ec69fa613
                                                                                          • Opcode Fuzzy Hash: 6566f94caa22c90fe8b6f427847e4a038ba2f618e9e2e05aec10004e29a784ee
                                                                                          • Instruction Fuzzy Hash: 2C11F2B59046488FDB10CF9AC884B9EFBF8EB88224F14841AD569A7310D774A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08090940 Relevance: 1.5, APIs: 1, Instructions: 27nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: fa9d7f3d6e3e7e89bbfd903b1c82be0d01697e37509fc61be91dc8457f8e2cae
                                                                                          • Instruction ID: 9eeb82b1ac183944979b1c7aeb69035c68c0b6f2f7bfb26a6439d6a25a0dbbd1
                                                                                          • Opcode Fuzzy Hash: fa9d7f3d6e3e7e89bbfd903b1c82be0d01697e37509fc61be91dc8457f8e2cae
                                                                                          • Instruction Fuzzy Hash: 67E022365087848FDF2187ADA4043CEBBE09F81224F26848BC088E3263C33C9588CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2A67B Relevance: .9, Instructions: 923COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 29a78b94aad43f6fc8ef4d6bf38ae4e934d14a9e04276557ba388c2ac8826c03
                                                                                          • Instruction ID: 6639797c90a54df45d54213535629d18b7dbfb32dddea953e2140bae3139e4e5
                                                                                          • Opcode Fuzzy Hash: 29a78b94aad43f6fc8ef4d6bf38ae4e934d14a9e04276557ba388c2ac8826c03
                                                                                          • Instruction Fuzzy Hash: 52A2EF74A01668CFDB65EF24C894BEDB7B2AF49304F1181E9D809A7368DB305E85EF01
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2AEBA Relevance: .5, Instructions: 545COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 27bb02e415e627335e8a7da95d0010264c1a594d7f0e89e549ec6fdee16b6538
                                                                                          • Instruction ID: 9c091c4f68a4baf800d7b6da412d027009d648da7ae0d15411456be708f1732b
                                                                                          • Opcode Fuzzy Hash: 27bb02e415e627335e8a7da95d0010264c1a594d7f0e89e549ec6fdee16b6538
                                                                                          • Instruction Fuzzy Hash: 1642DE74A01268CFDB65EF64C894BEDB7B2AF49304F1181E9D909A7364DB309E85EF01
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2ADD0 Relevance: .5, Instructions: 545COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7bf8cd703178250b7ac82bfd5c941bfde40cf803b2e60bacc368ab736e615607
                                                                                          • Instruction ID: 400c33bca3a0f95b044cc230453e1d081d61a816402b8443a5480c92fbf050a1
                                                                                          • Opcode Fuzzy Hash: 7bf8cd703178250b7ac82bfd5c941bfde40cf803b2e60bacc368ab736e615607
                                                                                          • Instruction Fuzzy Hash: 6142DE74A01268CFDB65EF64C894BEDB7B2AF49304F1181E9D909A7364DB309E85EF01
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2B17F Relevance: .5, Instructions: 541COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f2a8db7c5d2d0563d0344f5edd1bccfd42a40706306f2c9fbcc30c740ffcca1b
                                                                                          • Instruction ID: 3629c075167347557cbd3e384213bff649790673587b03081a1723e704abd574
                                                                                          • Opcode Fuzzy Hash: f2a8db7c5d2d0563d0344f5edd1bccfd42a40706306f2c9fbcc30c740ffcca1b
                                                                                          • Instruction Fuzzy Hash: 3E42EE74A01268CFDB65EF64C894BDDB7B2AF49304F1181E9D909A7368DB309E85EF01
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C22C3B Relevance: .4, Instructions: 375COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1c7b9a6ba056f691c138111f3248608246fb085a9c7133ba288c43b112f9689
                                                                                          • Instruction ID: 8c5294f8f171147ce06896e56bc4499b964c387ba0a2cb14b97d0c7c576f118f
                                                                                          • Opcode Fuzzy Hash: f1c7b9a6ba056f691c138111f3248608246fb085a9c7133ba288c43b112f9689
                                                                                          • Instruction Fuzzy Hash: 0102D074A026688FDB65DF24C850BEDB7B2AF89314F1180E98949A7348CF349ED5EF44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C22783 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3010157bffeba519a76a794be304b4417ed157826cb9a919b330231448100371
                                                                                          • Instruction ID: 31ac9d999614759a807e14b3f65b8dfd0205c56df072ec3879f5d7a99c1659f7
                                                                                          • Opcode Fuzzy Hash: 3010157bffeba519a76a794be304b4417ed157826cb9a919b330231448100371
                                                                                          • Instruction Fuzzy Hash: 4141C270E012288BEB54DFA5C954BEDBBB1BF89300F1491AAC809A7394DB355A89CF54
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C24290 Relevance: .1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2935d55098006cb08f839995c8831c53fe633a4ab5f1c0b2bce39b5b1b40f260
                                                                                          • Instruction ID: ab02cc318166c92d5fe3917f151adddbbb59d65427552a0044dc8efe02bcf4a6
                                                                                          • Opcode Fuzzy Hash: 2935d55098006cb08f839995c8831c53fe633a4ab5f1c0b2bce39b5b1b40f260
                                                                                          • Instruction Fuzzy Hash: 1B31F3B1E112189FDB04DFA8D5907EEBBB2EF49304F14812AD905A7394DB395A89CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C20594 Relevance: .1, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 124a454490e5853ba8de450a4b975a1f466b2396a9503bb72e1d2a53c6da8fcd
                                                                                          • Instruction ID: bf2c05f727f9f6ee9daa5100441902f646e96c043c1278766d9431f8532d1d95
                                                                                          • Opcode Fuzzy Hash: 124a454490e5853ba8de450a4b975a1f466b2396a9503bb72e1d2a53c6da8fcd
                                                                                          • Instruction Fuzzy Hash: 8331F370E112189FCB44DFA5D590BEEBBF2FF89304F10812AD805A7354DB355A85CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 071A5788 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1365 71a5788-71a8f27 1367 71a8f29-71a8f33 1365->1367 1368 71a8f60-71a8faa LoadLibraryA 1365->1368 1367->1368 1369 71a8f35-71a8f37 1367->1369 1373 71a8fac-71a8fb2 1368->1373 1374 71a8fb3-71a8fe4 1368->1374 1371 71a8f5a-71a8f5d 1369->1371 1372 71a8f39-71a8f43 1369->1372 1371->1368 1375 71a8f47-71a8f56 1372->1375 1376 71a8f45 1372->1376 1373->1374 1380 71a8fe6-71a8fea 1374->1380 1381 71a8ff4 1374->1381 1375->1375 1378 71a8f58 1375->1378 1376->1375 1378->1371 1380->1381 1382 71a8fec 1380->1382 1383 71a8ff5 1381->1383 1382->1381 1383->1383
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 071A8F9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352147228.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_71a0000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 64ed4e5a86fbea9dc9ef4ff6ca9ba563537fe4676918cf2d2b2507b84eddee89
                                                                                          • Instruction ID: 98d34f21b54e0e77d49619af3d335aa152787a0082e040fbc49f7ad96bc468d2
                                                                                          • Opcode Fuzzy Hash: 64ed4e5a86fbea9dc9ef4ff6ca9ba563537fe4676918cf2d2b2507b84eddee89
                                                                                          • Instruction Fuzzy Hash: 033134B4D0424AAFDB15CFA8C88579EBBF2FB18314F14852AE815EB380D7749885CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 071A8EC4 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1384 71a8ec4-71a8f27 1386 71a8f29-71a8f33 1384->1386 1387 71a8f60-71a8faa LoadLibraryA 1384->1387 1386->1387 1388 71a8f35-71a8f37 1386->1388 1392 71a8fac-71a8fb2 1387->1392 1393 71a8fb3-71a8fe4 1387->1393 1390 71a8f5a-71a8f5d 1388->1390 1391 71a8f39-71a8f43 1388->1391 1390->1387 1394 71a8f47-71a8f56 1391->1394 1395 71a8f45 1391->1395 1392->1393 1399 71a8fe6-71a8fea 1393->1399 1400 71a8ff4 1393->1400 1394->1394 1397 71a8f58 1394->1397 1395->1394 1397->1390 1399->1400 1401 71a8fec 1399->1401 1402 71a8ff5 1400->1402 1401->1400 1402->1402
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 071A8F9A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352147228.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_71a0000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 6d8c92a093f7b863552048577b0b0e20bb27b6183ebb35e30f4a22387a5d9ea2
                                                                                          • Instruction ID: 2dbd2a944e474725bd929bdb92431ae086d1efe75f4736ee2b74e3f544373e86
                                                                                          • Opcode Fuzzy Hash: 6d8c92a093f7b863552048577b0b0e20bb27b6183ebb35e30f4a22387a5d9ea2
                                                                                          • Instruction Fuzzy Hash: FD3146B4D0024AAFDB15CFA8C885B9EBBF2FB18314F10852AE815EB380D7749845CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C26E50 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2024 7c26e50-7c26eea PostMessageW 2026 7c26ef3-7c26f14 2024->2026 2027 7c26eec-7c26ef2 2024->2027 2027->2026
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07C26EDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 638ce2abb3c71abfc3da3408fa9c505e0c3cc35136da44ba08a2f7dd7999d204
                                                                                          • Instruction ID: d1a52c912921db88d1e0a6a95bf6342b466d70e16fb5d8c7cb61f8bbe86af65a
                                                                                          • Opcode Fuzzy Hash: 638ce2abb3c71abfc3da3408fa9c505e0c3cc35136da44ba08a2f7dd7999d204
                                                                                          • Instruction Fuzzy Hash: FC2149B58043599FDB11CF99C885BEEFFF4EB09320F14445AE454A7641D338A949CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08090733 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2035 8090733-80907b0 VirtualAllocEx 2037 80907b9-80907d6 2035->2037 2038 80907b2-80907b8 2035->2038 2038->2037
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080907A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: da5f857a7fd0e92423d5a8b2d35af3c444846d9a689f4876d416c5c7497799b6
                                                                                          • Instruction ID: 5ea162d996bc735674db1dca5a21a44b968d91f876c158068c88e74004a0b77e
                                                                                          • Opcode Fuzzy Hash: da5f857a7fd0e92423d5a8b2d35af3c444846d9a689f4876d416c5c7497799b6
                                                                                          • Instruction Fuzzy Hash: 2B1102B5D046489FCB10CF9AC884BEEBBF5BB88324F14841AE569A7310D775A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08090738 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 2041 8090738-80907b0 VirtualAllocEx 2043 80907b9-80907d6 2041->2043 2044 80907b2-80907b8 2041->2044 2044->2043
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080907A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.353300564.0000000008090000.00000040.00000800.00020000.00000000.sdmp, Offset: 08090000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_8090000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 73057c041206c92b5b0ab7f3c3ff4b1343d75fca5ae8238a5dfce958b74cf9f0
                                                                                          • Instruction ID: a9d34a2f226a02d8002da4d8d2a5809c46a38df57c7e99391724bcd9512aefce
                                                                                          • Opcode Fuzzy Hash: 73057c041206c92b5b0ab7f3c3ff4b1343d75fca5ae8238a5dfce958b74cf9f0
                                                                                          • Instruction Fuzzy Hash: C91102B59006489FCB10CF9AC884BDEFBF4EB88324F148419E568A7210D775A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C26E80 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07C26EDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: c40fbb58b1bf133a4a1b25fff6f7ee0c20b4d21fcff04bbee956e20be1726609
                                                                                          • Instruction ID: 173ddc11a8de160ee001177fea85f8d0345d411afbe8b7e24b63910cc3f5ed8d
                                                                                          • Opcode Fuzzy Hash: c40fbb58b1bf133a4a1b25fff6f7ee0c20b4d21fcff04bbee956e20be1726609
                                                                                          • Instruction Fuzzy Hash: AE1106B58003599FDB10CF9AC885BEEBBF8EB48324F148419E554A3640D378A944DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C20650 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(?), ref: 07C25340
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 91b6316f0524862f87e1c63dfc41a19f3fd6a923632ed6dea2b58cfecdadf36e
                                                                                          • Instruction ID: cb12a3a786062bb3241f3e028457be533b356f7432751510b0e24116b05858d7
                                                                                          • Opcode Fuzzy Hash: 91b6316f0524862f87e1c63dfc41a19f3fd6a923632ed6dea2b58cfecdadf36e
                                                                                          • Instruction Fuzzy Hash: 561136B19042598FDB10CF9AD445BEEBBF4EB48320F10845AE554A3341D378A544CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C252E3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(?), ref: 07C25340
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 9714aecade6b9bb8228e55675f825dcd93b0907c25dd5f1400fedee96af09d0d
                                                                                          • Instruction ID: b77cd3699a53c37fd7d4cb6e089905386b0424350db976c9fab3fdd107efec59
                                                                                          • Opcode Fuzzy Hash: 9714aecade6b9bb8228e55675f825dcd93b0907c25dd5f1400fedee96af09d0d
                                                                                          • Instruction Fuzzy Hash: 9A1136B2D042598FDB10CF99D484BEEBBF4FB48320F10841AE958A3340D378A544CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C257E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 07C2583D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 3a91a6e49b90d1dd1340a233b46c9a57667cc8596785b1612095a2b95d09a5e1
                                                                                          • Instruction ID: 4677d89fd9af0428eda6dcfe86a70733316686c1f7f6456168facce83158293c
                                                                                          • Opcode Fuzzy Hash: 3a91a6e49b90d1dd1340a233b46c9a57667cc8596785b1612095a2b95d09a5e1
                                                                                          • Instruction Fuzzy Hash: 061127B5D002588FCB10CF99E8457DEBBF4EB48324F14845AD519B7700C774A544CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C26724 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07C27B27), ref: 07C2851D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: DispatchMessage
                                                                                          • String ID:
                                                                                          • API String ID: 2061451462-0
                                                                                          • Opcode ID: 505079dc95938becce466e9e30bb59ba39cc2c16599bba6c4fa706a5bede6d7c
                                                                                          • Instruction ID: 7438535ffea0eac4dadd517ee5207745c0a247ce0c60a48fef98af1cbf7d0d55
                                                                                          • Opcode Fuzzy Hash: 505079dc95938becce466e9e30bb59ba39cc2c16599bba6c4fa706a5bede6d7c
                                                                                          • Instruction Fuzzy Hash: A611FEB1D046598FDB10CF9AD444BDEBBF4EB48324F10842AE519A3700D378A645CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C284B8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07C27B27), ref: 07C2851D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: DispatchMessage
                                                                                          • String ID:
                                                                                          • API String ID: 2061451462-0
                                                                                          • Opcode ID: 28c2d2c5ac72d458f5851c0c732398a3ab2057425640345ed7a037dfd9918b5f
                                                                                          • Instruction ID: f2a957ec4dfc38c351346844f4e6eb0160eb8a20be979b57770a75a19dbaca9d
                                                                                          • Opcode Fuzzy Hash: 28c2d2c5ac72d458f5851c0c732398a3ab2057425640345ed7a037dfd9918b5f
                                                                                          • Instruction Fuzzy Hash: 0111F2B5C046599FDB10CF9AE444BDEBBF4EB48324F10852AE519B3600D378A645CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C25819 Relevance: 1.5, APIs: 1, Instructions: 29comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 07C2583D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: a361655f94af992695a61beba7d22e1680834b143158f601aa5236756787151a
                                                                                          • Instruction ID: 1520254cad131c63ad74b56d51eb6e46c7409b4f4eb9f9f2b137fc9fb453613f
                                                                                          • Opcode Fuzzy Hash: a361655f94af992695a61beba7d22e1680834b143158f601aa5236756787151a
                                                                                          • Instruction Fuzzy Hash: 99F044B59002548FCB10CF99E48478EBBF0AB48328F11845AD119A3310C778A545CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Function 07C2B4A4 Relevance: .4, Instructions: 370COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3bf7467fc4c2dbe4b1b44140771867b34cf13f131fab6539dbe156cffb65c644
                                                                                          • Instruction ID: 93d234be127dd85025163906217c632fdb9b8734597dc860c72e8bb887706066
                                                                                          • Opcode Fuzzy Hash: 3bf7467fc4c2dbe4b1b44140771867b34cf13f131fab6539dbe156cffb65c644
                                                                                          • Instruction Fuzzy Hash: 5102DD74A41668CFDB65EF20C884BEDB7B2AF4A300F0145E99909A7368DB305E85EF05
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0527A559 Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.351160200.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5270000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0723ae6cc5817654a2ceef851ad7cc6810c06d4b42b7d5d0452ea97b27460cf8
                                                                                          • Instruction ID: dc9e1fcc921cc5db91dd4f218e116a0882b647d1ab7764dc8a63c188c81f97b7
                                                                                          • Opcode Fuzzy Hash: 0723ae6cc5817654a2ceef851ad7cc6810c06d4b42b7d5d0452ea97b27460cf8
                                                                                          • Instruction Fuzzy Hash: 0C217530E14209DFCB05DFA4C484AEEBBB1FF49315F5842A9D809AB290C7749B86CB44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0527A568 Relevance: .1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.351160200.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5270000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 174e071ec6b60452d48977d9c50a4e6098e134fec79d5f5d87c712c2006e01ea
                                                                                          • Instruction ID: 87333fbba97944cc4bb19ada80649059ed2fa009a82bd2afd7dfd9db22f05158
                                                                                          • Opcode Fuzzy Hash: 174e071ec6b60452d48977d9c50a4e6098e134fec79d5f5d87c712c2006e01ea
                                                                                          • Instruction Fuzzy Hash: B2212370E14209DFCB04DFA8C444BEEB7B1BF48304F5445A9D809A7394D7749B85CB44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2330B Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1129415e5fbdb6131374206d06a07b3eff398f38e355a55e02bae6b0d25845f
                                                                                          • Instruction ID: 1fba2ceda1454e43cf54234955e3eb4ee6a5b34bd3111eded732b4a89816c46b
                                                                                          • Opcode Fuzzy Hash: f1129415e5fbdb6131374206d06a07b3eff398f38e355a55e02bae6b0d25845f
                                                                                          • Instruction Fuzzy Hash: F3D017B9E68268DACB10AFA9D8842FCF370FB87310F0020A6C11DB3141C7308A918E59
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2BC6D Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 829b7be3b3efdbd2c9de32e9b30bf0a72062b7ca8b9e2575c6544df531f869eb
                                                                                          • Instruction ID: 038ccb26795850519371fb1d4c2942cc6809f3b8f7333e5e8c81f0c58204f668
                                                                                          • Opcode Fuzzy Hash: 829b7be3b3efdbd2c9de32e9b30bf0a72062b7ca8b9e2575c6544df531f869eb
                                                                                          • Instruction Fuzzy Hash: D3D0ECB9D98068D6CB10DE55D9841FCF370AB46350F0020A6C50DB3140D7709D828A09
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C2BB83 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0b58023a12c3b46f5923255502a7552834a7031bcaf773a75aecad7e3ad1748
                                                                                          • Instruction ID: b710df7b46254be31e076d4b04cc07db27f07470d88940fdef85d05b3d0575b7
                                                                                          • Opcode Fuzzy Hash: e0b58023a12c3b46f5923255502a7552834a7031bcaf773a75aecad7e3ad1748
                                                                                          • Instruction Fuzzy Hash: A0D0ECB9D8901ED6CB109E55E6481FCF3709B86250F1060B6851DB3144D63099804F15
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 07C228D5 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.352669763.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7c20000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2aabdc33137e5fda672588486e4ad57e6ff302f5f0cb071f9333ab2bf6f993d3
                                                                                          • Instruction ID: 23d788038f7610e6f237a37186d2f626612949f6922259c388d26095d18129a2
                                                                                          • Opcode Fuzzy Hash: 2aabdc33137e5fda672588486e4ad57e6ff302f5f0cb071f9333ab2bf6f993d3
                                                                                          • Instruction Fuzzy Hash: 7FD0E2B9D581289ACB10AEA9A9403FCF374BB96210F0125A6810DB3154CB308A809B25
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05279EF5 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.351160200.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5270000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction ID: 5b13cb0ad030ffaaef5db1d6f7fa94ba68a2ffbadfe1cff11e7d5908e10e98b7
                                                                                          • Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction Fuzzy Hash: 8CB09236E1010896DB00CEC4A0003FCF774EB82226F002067C208B3500C27086A8469A
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05272B75 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.351160200.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5270000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction ID: ea11c211f1402dcda074bbf8db9e1aaea747e9c6faad439862ea8fdfb025f59d
                                                                                          • Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction Fuzzy Hash: F8B0923AE10008D6CF00CEC4A0003FCF770EB82226F002062C208B3500C3708668469A
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 05279A2D Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.351160200.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_5270000_RegSvcs.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction ID: 79c7530029ea2387bab33dc24a62bbac06a9a925e34f9fed6a59a4c280b7e137
                                                                                          • Opcode Fuzzy Hash: f4279fb7a376c8f0292a8cc686e6e49d209be210cad85753f9b6f9ddfa214db3
                                                                                          • Instruction Fuzzy Hash: B7B09236E2110896CB00CEC4A0003FDF770EBC2226F102062C608B3500D27086A8469A
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Executed Functions

                                                                                          Function 01420F38 Relevance: .5, Instructions: 510COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 96c2675c14bbe2602e3e7c47253ac30ed60c8a0a2a7463501e347caf62d0d9e0
                                                                                          • Instruction ID: 6e186cc4466ad8aa82fefd9d317d84d49d0aab12481a8847d7521710955ae8c6
                                                                                          • Opcode Fuzzy Hash: 96c2675c14bbe2602e3e7c47253ac30ed60c8a0a2a7463501e347caf62d0d9e0
                                                                                          • Instruction Fuzzy Hash: FC227C307016129FC724DF25E69066B73A6FB88309B648539C546CB399DB3AECC6CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01420728 Relevance: .3, Instructions: 301COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c502dfd769046c7cbdeb1b53fad50ff4958d8e0f4571e48f4b738322214ed0de
                                                                                          • Instruction ID: 8b6cdc515a6899146e660ef5b14afd5ad04e10f8246fb995f584cc70c0ada932
                                                                                          • Opcode Fuzzy Hash: c502dfd769046c7cbdeb1b53fad50ff4958d8e0f4571e48f4b738322214ed0de
                                                                                          • Instruction Fuzzy Hash: 69314231A043948FDB21CB74D5182DE7FF6EF44310F0480AAD406AB265DB7A9DC6CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 014208F0 Relevance: .2, Instructions: 190COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b32300dfe0afd17cbe6f4e3a2bf616d1bb892af717902639553615ebd9a50f4f
                                                                                          • Instruction ID: 325f3b0fc985dd0e78fdfc12b743d7bc0f3e685d281bb420f91cd06b7e62b032
                                                                                          • Opcode Fuzzy Hash: b32300dfe0afd17cbe6f4e3a2bf616d1bb892af717902639553615ebd9a50f4f
                                                                                          • Instruction Fuzzy Hash: 0371EE30A002558FDB259FB4D50869EBBF6EF88304F14852AE506A77A4DF76ECC6CB40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01420E31 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ffdde36cd5c80ff8afdf52814c408afc22fb1c564e4dc3af4a186be74e0dec1
                                                                                          • Instruction ID: 07e9f0467584e16fc1fa03639fdf055d076a52349f84bbea1effb48d281cb107
                                                                                          • Opcode Fuzzy Hash: 6ffdde36cd5c80ff8afdf52814c408afc22fb1c564e4dc3af4a186be74e0dec1
                                                                                          • Instruction Fuzzy Hash: 89310670B412608FC759AB38D56896D37E2AF8A61931208BDE502CF775DF36DC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01420E40 Relevance: .1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 74d753e947a78a561c6a57dcbcec1a3574f03a7b5e6d7cebce0abf991ffe7a36
                                                                                          • Instruction ID: 230a74224baf0a7a073ad8cfc15a4644ac0524dce7bc5cb8fc66759b0bad5e49
                                                                                          • Opcode Fuzzy Hash: 74d753e947a78a561c6a57dcbcec1a3574f03a7b5e6d7cebce0abf991ffe7a36
                                                                                          • Instruction Fuzzy Hash: A1213A747412608FC758AB38D16892D37E2AF8961932208BCE506CF775DF36EC86CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 014216D8 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2dde7b9b87b23f6edc32d3d2faf6510cc88a749adc8e0eede689af5f2cb19642
                                                                                          • Instruction ID: 59e3a7ae3e2e7a18ec8007e1423dda3d1c41f5ea2bc9069e7ddf6b6b39abea94
                                                                                          • Opcode Fuzzy Hash: 2dde7b9b87b23f6edc32d3d2faf6510cc88a749adc8e0eede689af5f2cb19642
                                                                                          • Instruction Fuzzy Hash: E0110630B14218AFC714EF78E5546AE77E9EFC5618F104169C609EB350DF399C46CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 014217F8 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3f0dfbc380686e90f1262708ceec55c3d4bab470b5ff0f8277f7cc7f26f0d20c
                                                                                          • Instruction ID: 915f13a81193dfefe66f682224af70351d1ca55a04012bd273f4e443577219a9
                                                                                          • Opcode Fuzzy Hash: 3f0dfbc380686e90f1262708ceec55c3d4bab470b5ff0f8277f7cc7f26f0d20c
                                                                                          • Instruction Fuzzy Hash: 4B11CE35E002499FCB14DFB5D9449EEBBF5FF89210B1082AAE518DB221E7359995CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01421808 Relevance: .0, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8da081cea42ca88d7678fc15f0b9437953d2b79efacfa9b55fa9b60e5fef70b0
                                                                                          • Instruction ID: be9776bc7e294c8fe83186642a12146237f2ce98b57672349590884e5d9d08d0
                                                                                          • Opcode Fuzzy Hash: 8da081cea42ca88d7678fc15f0b9437953d2b79efacfa9b55fa9b60e5fef70b0
                                                                                          • Instruction Fuzzy Hash: 83019235E002059FCB50DFB5D9408EFFBB5FF8D2107108266E518D7220E775A955CB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01420480 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 49c383c2df1c2680891b9ecaa2d46333117538fd582e628f96fa0249c0138412
                                                                                          • Instruction ID: 2179ab0f86b9d72be62cb382fe1e5a6dcd1ada86b9b372d48a6a2c5eba1c5695
                                                                                          • Opcode Fuzzy Hash: 49c383c2df1c2680891b9ecaa2d46333117538fd582e628f96fa0249c0138412
                                                                                          • Instruction Fuzzy Hash: D5F09071A0A368AFC742ABBCA9511DE7FF4EE06324B0500FBD589D7122E2344D55CBE2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01420B9C Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ddbee16afd261f1000b92aa371e9e2c4109c5a97f2822895ea4eeba2310d264d
                                                                                          • Instruction ID: 258f6b85a6fc4d426e08a7c08113e5a70465ca5ce2e7ea20fc9d71a25cea433e
                                                                                          • Opcode Fuzzy Hash: ddbee16afd261f1000b92aa371e9e2c4109c5a97f2822895ea4eeba2310d264d
                                                                                          • Instruction Fuzzy Hash: FFF01C71A002558FDB24DFB4C1587AE7BF0AF08318F250899E442A73A5CB7599C5CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 014204A8 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.316725449.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_1420000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 13540a44d671060a2e981bba239a10c5b6c3825bbd33225229338b8e388667c9
                                                                                          • Instruction ID: 9e2dd1f24495c93317cddef08059708373c55222914cb1d384ace2d2450756cc
                                                                                          • Opcode Fuzzy Hash: 13540a44d671060a2e981bba239a10c5b6c3825bbd33225229338b8e388667c9
                                                                                          • Instruction Fuzzy Hash: 9DD067B1D04229AF8B50EFB99A051EEBBF8EA08250F5045B6D919E3204E6715A118BD1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Executed Functions

                                                                                          Function 00CF0F38 Relevance: .6, Instructions: 578COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 19ea0a91177322b5a28f253a548789f213a8ced52030d79d2c1dac59345c0cd7
                                                                                          • Instruction ID: 145db3dff57e30da3ec0161e2d10f58b9d18990e6c8b40781b933aa0e85931b1
                                                                                          • Opcode Fuzzy Hash: 19ea0a91177322b5a28f253a548789f213a8ced52030d79d2c1dac59345c0cd7
                                                                                          • Instruction Fuzzy Hash: D1329030701605CFC714EF60E594A7A73B3EBC8309B25856CD9468B399DB35ED86CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF0728 Relevance: .4, Instructions: 415COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7a9a5d25813ae91df4de28caa18e3fbdb9c5008a2922e5566ed2f8b1b1216fe1
                                                                                          • Instruction ID: aadcf483347750d00c63fe012c74d21c0cdc13ac52b5057c2039cfe208c8a05e
                                                                                          • Opcode Fuzzy Hash: 7a9a5d25813ae91df4de28caa18e3fbdb9c5008a2922e5566ed2f8b1b1216fe1
                                                                                          • Instruction Fuzzy Hash: 6B811431A007488FCB15DBB0C818AADBBB3EF88304F268569D546A7766DF70ED85DB41
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF0E31 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ced3ee976142f05e2dbca7ad410f2692aeebc5486411c0000716f6f7c2ee8fe3
                                                                                          • Instruction ID: cc1db63ed2220bb8ed321d7d3d422376a033414c34f8f43c6a701eda8f196019
                                                                                          • Opcode Fuzzy Hash: ced3ee976142f05e2dbca7ad410f2692aeebc5486411c0000716f6f7c2ee8fe3
                                                                                          • Instruction Fuzzy Hash: D13171707051508FC759AB38D56896D37E2AF8961932208FDE502CF776DB35DC46CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF0E40 Relevance: .1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 34d95414a01eabaf4480c2fd79383a491c82e7178d715b1843bc8e5ac2d1d089
                                                                                          • Instruction ID: c26a5920c4b413a4c5d2b7ae6c921f72be3d0e46267044e1f0fb360e33dd4eaf
                                                                                          • Opcode Fuzzy Hash: 34d95414a01eabaf4480c2fd79383a491c82e7178d715b1843bc8e5ac2d1d089
                                                                                          • Instruction Fuzzy Hash: A121E6747011608FC758AB78D56896D33E2AF8965932208B8E506CF775DF36EC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF17F8 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99fb8470060c3b289da882fb53474f145412394c59441dc9d7ac0102e38457ab
                                                                                          • Instruction ID: 965e92fa26312b24beed67b056a8e24679d693c158ae7a478484d74643a56de7
                                                                                          • Opcode Fuzzy Hash: 99fb8470060c3b289da882fb53474f145412394c59441dc9d7ac0102e38457ab
                                                                                          • Instruction Fuzzy Hash: CA11A575E002459FCB40DFB4D8849EEFBF2FF89200B1486AAE51597621D7709945CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF1808 Relevance: .0, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07b30c019765056c164127fef6af41889b16f0849f6942fc6983fd5b6cfb659
                                                                                          • Instruction ID: 24a4ca0384e2dfc85fd51900c15f19890fe69deef3cee0d65746d47c2fb15ae5
                                                                                          • Opcode Fuzzy Hash: b07b30c019765056c164127fef6af41889b16f0849f6942fc6983fd5b6cfb659
                                                                                          • Instruction Fuzzy Hash: 79019235E002059FCB40EFB4D8848EEFBF6FF8921071086A6E514D7321E730A945CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF0480 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f284b6a0d6819bd46ece87fcf1c0447f6102ff906fb7f95cc6965c5537c3a426
                                                                                          • Instruction ID: b66c223e216fd968095f0c845092c3bf4b5575c3dac18d526dbd222ea925ecb8
                                                                                          • Opcode Fuzzy Hash: f284b6a0d6819bd46ece87fcf1c0447f6102ff906fb7f95cc6965c5537c3a426
                                                                                          • Instruction Fuzzy Hash: 03F06D3480E3859FC7139B74A8550997FB0AE07200B5A41EBC886DB1A3D3344D1ECBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF0B9C Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3b4180a2d1938adf96a32d48358a3590ad16bfb9e7c88fddb2095639c55cfaf9
                                                                                          • Instruction ID: 887847aa77683c5fbc98aacb8f0051c9e32daba8f36c7b09109f640b6a772616
                                                                                          • Opcode Fuzzy Hash: 3b4180a2d1938adf96a32d48358a3590ad16bfb9e7c88fddb2095639c55cfaf9
                                                                                          • Instruction Fuzzy Hash: D7F01C71A402498FDB14DFB4C559BAD7BB0AB08718F250898D552A73A2CB749D84CB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF16D8 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0fb5a9fbf43592a1560d67de21fc710221d513efeb11e9f10de4f5a12cd62799
                                                                                          • Instruction ID: 8b83554ccb4b3297560d1c738e7ffcc5fb1676ac99c4076cac08cf426a164de1
                                                                                          • Opcode Fuzzy Hash: 0fb5a9fbf43592a1560d67de21fc710221d513efeb11e9f10de4f5a12cd62799
                                                                                          • Instruction Fuzzy Hash: 7BD017357402149FC714EBA8E909A967BA8AB09A51F1140A5EA08CB2A4DB62ED14CBD2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00CF04A8 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001A.00000002.334645289.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_26_2_cf0000_WindowsUpdate.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c6349f151a1589e2ea4c8047de52d049629d4a87a85d3e0eeac7a9bed47822a
                                                                                          • Instruction ID: 7556df944b3a219c5bd1ec534eb134eb9e122207a350cfe837fd248bafac4549
                                                                                          • Opcode Fuzzy Hash: 7c6349f151a1589e2ea4c8047de52d049629d4a87a85d3e0eeac7a9bed47822a
                                                                                          • Instruction Fuzzy Hash: 1CD067B1D0122DAF8B80EFF999055EEBFF8EA08650B1145A6DA19E3201E6705A10DBD1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%